Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SECURITY] No Context Checking #981

Closed
ybelenko opened this issue May 28, 2019 · 0 comments

Comments

@ybelenko
Copy link
Contributor

commented May 28, 2019

Feature Request

About audited Directus version.
It has been cloned from suite repo.
Latest commit directus/directus@1d151a9

Description:

The file upload mechanism allows to get a direct link the uploaded file without any authentication. In addition, the upload file mechanism does not enforce any restriction file extensions or mime type check. This vulnerability allows an attacker to use it to distribute malicious / spyware / malware files etc.

Business risk:

After exploiting this vulnerability, an attacker can upload a malicious file to the server.

Technical details:

The upload mechanism allows a malicious user to upload any file into the system.

The following link is the URL to the uploaded eicar malicious testing file.

https://xxxxxxx/uploads/_/originals/eicar.com.txt

img1

A malicious user can use this functionality in order to upload a malicious file and to send it by a legitimate link to other victims and to attack them using their trust to the system.

It was also found that file size limitations are permit to users upload large size files (Maximum 50MB) in cases even when a size of uploaded file not required to be large as for example image for the user’s avatar.

img2

What problem does this feature solve?

Fixes security hole.

How do you think this should be implemented?

  • Do now allow any access to uploaded files without any authentication.
  • Restrict file extensions using whitelist approach. The file types allowed to be uploaded should be restricted to only those that are necessary for business functionality.
  • The application should perform filtering and content checking on any files which are uploaded to the server. Files should be thoroughly scanned and validated before being made available to other users.
  • Limit the file size to a reasonable maximum value in order to prevent denial of service attacks (on file space or other web application’s functions such as the image resizer).
  • Use a virus scanner on the server (if it is applicable). Or, if the contents of files are not confidential, a free virus scanner website can be used. In this case, file should be stored with a random name and without any extension on the server first, and after the virus checking (uploading to a free virus scanner website and getting back the result), it can be renamed to its specific name and extension.
  • Implement an authorization mechanism that validate if user authorized to view or download the specific file.

Would you be willing to work on this?

Maybe, with help/guidance from Directus team.

@benhaynes benhaynes added this to Needs triage in Bug Triage via automation May 31, 2019

@bjgajjar bjgajjar moved this from Needs triage to Medium priority in Bug Triage Jun 6, 2019

Bug Triage automation moved this from Medium priority to Closed Jul 15, 2019

@bjgajjar bjgajjar added this to Done in v2.3.0 Jul 15, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
2 participants
You can’t perform that action at this time.