🚨 Potential Invocation of Process Using Visible Sensitive Information

[huntr-helper]

👋 Hello, @reichert621, @cheeseblubber, @rhonsby - a potential high severity Invocation of Process Using Visible Sensitive Information vulnerability in your repository has been disclosed to us.

Next Steps

1️⃣ Visit https://huntr.dev/bounties/1-other-papercups-io/papercups for more advisory information.

2️⃣ Sign-up to validate or speak to the researcher for more assistance.

3️⃣ Propose a patch or outsource it to our community - whoever fixes it gets paid.

---

Confused or need more help?

• Join us on our Discord and a member of our team will be happy to help! 🤗

• Speak to a member of our team: @JamieSlome

---

This issue was automatically generated by huntr.dev - a bug bounty board for securing open source code.

[cheeseblubber]

Please post the details in the github issue here : @JamieSlome closing for now

[JamieSlome]

@cheeseblubber - please see the PoC that was provided to us.

💥 BUG open s3 bucket allow to read anyone file

💥 IMPACT Anyuser can download anyone uploaded file . Also user may update or delete any uploaded file in s3 bucket (not tested). AWS offer command line to manipulate s3 bucket bellow

aws s3 ls s3://mybucket -->to list all file aws s3 cp myfolder s3://mybucket/myfolder --recursive --->copy all file aws s3 rm s3://mybucket/test2.txt -->to remove check more https://aws.amazon.com/cli/ https://docs.aws.amazon.com/cli/latest/reference/s3/rm.html\

💥 AFFECTED s3 bucket https://papercups-files.s3.amazonaws.com/

💥 STEP TO REPRODUCE From your account upload a file and see its uploaded to s3 bucket . now you can read any user uploaded file 💥 VIDEO https://drive.google.com/file/d/1sqQ5J_4bnWXD_9TPAM66WOit9yWvgil_/view?usp=drivesdk

[cheeseblubber]

Great thanks this is fixed now

[JamieSlome]

@cheeseblubber - great, happy to hear!

Are you able to confirm the advisory patch on the platform or let me know what is the commit SHA that patches this?

Thanks! 🍰