search

scrapinghub / slackbot

A chat bot for Slack (https://slack.com).
MIT License
1.26k stars 394 forks source link

Local File Inclusion Vulernarability in file upload feature/example #106

Closed maus- closed 7 years ago

maus- commented 8 years ago

You can arbitrarily upload any file on the host of the slackbot. IE !upload ../../../../etc/passwd or get it to drop sensitive config files.

maus- commented 7 years ago

You really should scope what folder that contains data to be uploaded to mitigate this.

roperi commented 7 years ago

Good point Although I think upload.py should be taken as an example. Nevertheless it should be pointed out at least in the comments of the function.