.png)
5 months ago
29 BOOK THIS SPACE FOR AD
ARTICLE ADBackground
The target application is a platform that allows users to create personalized designs for products and then purchase these customized items. Users can choose from various templates or upload their own designs to be printed on the products, ensuring a unique and personalized shopping experience.
Discovery
While accessing my design. I found this request
GET https://www.domain.com/ucd/ucd.php?action=load&xmlpath=/files/cart_items/193/61304833/UCD.xml&convertYear=0&is_temp=0The request will return a response containing XML data about user design
Analysis
In the xmlpath parameter I found that it used a specific format
/file/cart_items/<category_id>/<design_id>/UCD.xmlI tried to change the design_id to my test account design id. But it return 403 forbidden.
We can bypass it by using path traversal. Payload :
/file/cart_items/<category_id>/<attacker_design_id>/../<victim_design_id>/UCDThe CVSS scoring were using Hackerone 3.0 CVSS
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/CR:X/IR:X/AR:XAlhamdulillah, you’ve reach the end. Hopefully you learn something from here and thanks for your support !
I’m sorry if it’s lack of screenshots because it’s a report from 2022 and i don’t really document it well back then :(
Bengali (Bangladesh) · 
English (United States) ·