In this blog we’ll be discussing some of my discloses I have made for huntr.
for those who are new to huntr huntr.dev is a bug bounty board for securing open-source code, it helps the open-source community to disclose and fix security vulnerability’s and get paid to do it , i’ve joined some months ago and it was a very nice experience with the team huntr and the community
On the go i have done 40+ discloses on different vulnerability classes like XXE,XSS,SSRF,ZIP-SLIP and Deserialization attacks on some repos including tensorpack , list.js etc.. and 10+ fixes. yes that was very interesting to finding and fixing vulnerability’s on those packages .
- https://www.huntr.dev/bounties/1-other-mucommander/ which is written in JAVA
- https://www.huntr.dev/bounties/1-other-rc-zip/ (RUST) which is fixed recently by one of huntr member mufeedvh
so yes there are many other repo’s still vulnerable and really need your help ; ) and get some bucks 💰too .when in web application scenarios . like i mentioned on Bookstack this is really a critical one , here is the Proof Of Concept video
Here is how i find it ,
as first i have installed this for testing XSS which is already disclosed https://www.huntr.dev/bounties/1-other-BookStack/ so this is my second finding on this repo.
so after this XSS i hunt for other vulnerability’s and i noticed that there is a way to import e-books which allows users to submit files in zip file format .to reduce the size of the file that is being uploaded. Later, the application will decompress the compressed files and gets back the actual files in the zip.
Ok now lets look some more deep
If the application doesn’t validate the filenames in the uploaded zip, and extracted it, it is vulnerable to Zip-Slip attack. and note that this also effect any compressed files including tar, jar, war, cpio, apk, rar and 7z. The attacker upload the zip with a specifically crafted file name. In this case a zip with file name
here is the example zip i created for testing by useing https://github.com/cesarsotovalero/zip-slip-exploit-example this repo is very useful .
So In my case i have created a file name which containg some “
../” and a correct folder name . If the application doesn’t validate the filenames in the uploaded zip it is going decompress it in dangerous paths.
This is because
../ is treated as one level up in the directory structure on Unix based systems. and for windows “
The FIX :
ok this can be simply fixed by striping out “
../” from filenames or Simply ignoring any entry that has "
..” as a filename. here is the mufeedvh’s fix for rc-zip on huntr which is merged later https://github.com/418sec/rc-zip/pull/1
So That’s all for now. Thank you <3