Dear @ignacionelson,
I found a Path traversal vulnerability on your application!
Description
Because of not checking if clause for chunks parameter when chunks >= 2, the user with Uploader role can add value 2 for chunks param to bypass fileName sanitizer
In Step 1: 3 parameter that I can control when using upload function chunk, chunks, fileName
In Step 2: The if clause check if chunks parameter < 2, the fileName parameter will be handled. So i add value 2 for chunks param then it will pass Step 2 and go to Step 3
if i don't add value for chunk then the chunk parameter goes to 0 and add value 2 for chunks parameter, i can pass this if
Step To Reproduce
Use burpsuite to capture upload request
Change valuable of chunks parameter to 2 and add dot dot for name parameter to escape root directory
The file was uploaded in webroot directory with index.html.part name
Dear @ignacionelson,
I found a Path traversal vulnerability on your application!
Description
Because of not checking if clause for

chunksparameter whenchunks>= 2, the user with Uploader role can add value2forchunksparam to bypassfileNamesanitizerIn Step 1: 3 parameter that I can control when using upload function
chunk,chunks,fileNameIn Step 2: The if clause check if
chunksparameter <2, thefileNameparameter will be handled. So i add value2forchunksparam then it will pass Step 2 and go to Step 3if i don't add value for
chunkthen thechunkparameter goes to0and add value2forchunksparameter, i can pass this ifStep To Reproduce
chunksparameter to2and add dot dot fornameparameter to escape root directoryindex.html.partnameRequest:
Solutions:
Add if clause to check when
chunksparameter >=2The text was updated successfully, but these errors were encountered: