README.md (1417B)
1## Catchbox 2 3*The logical successor to Dropbox.* 4 5### Flagstores 6 7Flag user- and filenames are given as attack info. 8 9Flagstore 1 is a file uploaded by the flag user. 10 11Flagstore 2 is a report created by the flag user. 12 13### Vulnerabilities 14 151. The random value used to generate the upload directory name is seeded 16 using the time of the request, which can be inferred with minimal, 17 online bruteforce from the user creation time in the `/users` endpoint. 18 These can then be accessed using the public url e.g. `/uploads/<MD5>/<FILE>`. 19 (flagstore 1) 20 212. The upload endpoint has a path traversal that allows reading of other 22 users' reports and uploads. There is a type confusion between the return of 23 strpos and false, which allows paths like "*/../*" to bypass the check 24 since the index of ".." in the path component is 0 (== false). Additionally, 25 the unsanitized parameter is stored in the database. This allows arbitrary 26 read (not write) within `/reports`. The report filename is derived from 27 the flaguser's username provided in the attack info. (flagstore 2) 28 293. The nginx `/uploads` alias allows for arbitrary file read in `/service` 30 (except for the database), since `/upload../*` expands to `/service/files/../` 31 and is not normalized again. This gives access to user reports as well as 32 index.php, which can be used to steal / circumvent patches of other teams. 33 (flagstore 2) 34