120318
commented
1 year ago You could post it directly here.
Closed elegiaque closed 1 year ago
120318
commented
1 year ago You could post it directly here.
elegiaque
commented
1 year ago This is critical in nature and sensitive, I would prefer a method of private conversation if possible.
elegiaque
commented
1 year ago Hi @120318, I'm necro'ing this issue as I haven't received any private contact details.
The vulnerability lies within the https://github.com/Mosasauroidea/GazellePW/blob/main/app/API/ImgUpload.php API functionality. Fundamentally, this allows for the arbitrary upload of any file extension (including .php), and returns the uploaded path. It is quite trivial to obtain RCE through this.
While this requires an API key, there also exists a stored XSS vulnerability within the mouse over avatar functionality. Simply include a payload such as <script>alert(1)</script> and mouse over the user's avatar for the XSS to pop. This could be used to retrieve a users API key from their settings page.
120318
commented
1 year ago Thanks for the reminder, I added extension checking for this interface, maybe it can solve the security issue you raised?
Hi, I have found a high risk security issue within this application. Who do I contact to reasonably disclose this?