Update vuln descriptions

1 files changed, 17 insertions, 14 deletions

diff --git a/README.md b/README.md
index 395518a..3b8525d 100644
--- a/README.md
+++ b/README.md
@@ -1,25 +1,28 @@
 ## CatchBox
 
-Simple file upload service.
+*The logical successor to Dropbox.*
 
-Flag user- and filenames are given as attack info.
+### Flagstores
 
-Flagstore 1 is stored in a file from the flag user.
+Flag user- and filenames are given as attack info.
 
-Flagstore 2 is stored in a report created by the flag user.
+Flagstore 1 is a file uploaded by the flag user.
 
-### VULNS
+Flagstore 2 is a report created by the flag user.
 
-1. upload file directory name is generated based on creation time
-   (can be bruteforced using user creation time)
+### Vulnerabilities
 
-2. upload filename path traversal allows for reading reports and uploads
-   (filename check is fumbled via php type juggling and wrong variable use)
+1. The random value used to generate the upload directory name is seeded
+   using the time of the request, which can be inferred (with minimal bruteforce)
+   from the user creation time in the 'users' endpoint. (flagstore 1)
 
-3. nginx uploads alias allows arbitrary file read in /service (except database)
+2. The upload endpoint has a path traversal that allows reading of other
+   users' reports and uploads. There is a type confusion between the
+   return of strpos and false, which allows paths like "*/../*" to bypass
+   the check since the index is 0 (== false). Additionally, the unsanitized
+   parameter is stored in the database. (flagstore 2)
 
-4. theoretically hash collision on flag user's name allows accessing report,
-   but computation complexity is too high even for given round time
-   (easy to find two strings with same md5 hash, but difficult to find
-   'complement' for a given string)
+3. The nginx /uploads alias allows for arbitrary file read in /service
+   (except for the database), since /upload../* expands
+   to /service/files/../. (flagstore 2)