Skip to content
This repository has been archived by the owner on Jan 11, 2023. It is now read-only.

Security issue of GCDWebUploader #433

Closed
SiOS-Submission opened this issue Aug 7, 2019 · 1 comment
Closed

Security issue of GCDWebUploader #433

SiOS-Submission opened this issue Aug 7, 2019 · 1 comment
Labels

Comments

@SiOS-Submission
Copy link

The method moveItem in GCDWebUploader class checks the FileExtension of newAbsolutePath but not the oldAbsolutePath. By taking this error, adversary can make un-accessible file to be available, credential of the app for instance. I have found real app affected by this vulnerability.

@swisspol swisspol added the bug label Aug 9, 2019
@swisspol
Copy link
Owner

swisspol commented Aug 9, 2019

Thanks for reporting, I will have a look.

Johennes pushed a commit to kayak/GCDWebServer that referenced this issue Oct 19, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Development

No branches or pull requests

2 participants