Twitter Unrestricted File upload vulnerability
Hello Everyone, I’m Ebrahim Hegazy and I enjoy spending time in hunting for web applications vulnerabilities specially for vendors that provide a bug bounty reward or a Hall of fame for security researchers.
During my researches on twitter.Com , I found myself in the “create new application” page, where i’ve the option to upload image for my new created application. Well, when you find a upload page(despite the allowed files extensions), it’s possibly vulnerable to certain scenarios/types of vulnerabilities such as:
1- It accept .Png,jpg,gif only to be uploaded but if you uploaded file.Php it will pass!
2- It accept images only to be uploaded but if you uploaded file.Png.Php it will pass!
3- Tricking the file upload validation by uploading a file. Png and intercept the post request then edit the file name to be file.Php and it will pass.
4- Even if the uploader accept images only, you still can try “directory navigation” by uploading file.Jpg then intercept the request and edit the file name to be ../../File.Jpg which would move your uploaded file to main directory e.G. Site.Com/file.Jpg instead of site. Com/upload/images/file.Jpg And many other tricks that you can test with the file upload pages.
In twitter case, number 3(above) worked with me and, I was able to upload files with any extension such as php, exe, txt and more.
In normal scenarios a successful exploitation of uploading php files to a server that supports the php is: remote code execution on that server. But for twimg. Com the server that host the uploaded files is a cdn (content delivery network) and in cdn’s usually scripting engines are not allowed to run. So, the consequences for this twitter vulnerability are:
1-It could be used to make twimg.Com as a botnet command server by hosting a text file with commands, so infected machines would connect to that file to take its commands. Since twimg.Com is a trusted domain by users so it won’t grab the attention.
2-Hosting of malicious files.
3-It could be used to upload a text page with a defacement content and then add the infected subdomains of twimg.Com as a mirror to zone-h.Org which would affect the reputation of twitter.
Recommendations for developers
1- Never check for the file mimetype only.
2- Always check for the file extensions after it get uploaded.
3- Always force the uploading page to rename the uploaded file to your allowed extensions + random number, so if the attacker uploaded a file named as file.Php, your page should automatically force rename the uploaded file to be file65786776723.Jpg
About The Author
Ebrahem Hegazy, Acknowledged Bug Bounty Hunter