Local File Inclusion Vulnerability in Email Attachment Feature

1 year ago 57
BOOK THIS SPACE FOR AD
ARTICLE AD

Dear readers,

I identified a critical security vulnerability in REDACTED that could have allowed an attacker to read local files on the mailer server by inserting a local file path in the file URL when sending an email attachment.

For privacy reasons, the target of this security assessment has been replaced with REDACTED. The purpose of this blog post is to share knowledge and raise awareness about a vulnerability that was identified and properly reported.

When a user sends an email with an attachment in REDACTED, the mailer server fetches the file from a file URL specified in the file_url parameter.

The vulnerable request was similar to the following:

POST /emails HTTP/1.1
Host: REDACTED.com
....

{"from":{"email":"email@email.com"},
"to":[{"email":"email2@email.com"}],
"body":"","subject":"example test",
"attachments":[{"file_name":"test.txt",
"file_url":"https://user-host.com/test.txt"}]}

After spending a considerable amount of time trying to exploit the Metadata API with no success, I turned my attention to local file access. I successfully retrieved sensitive files such as /etc/passwd and /etc/shadow by replacing the file URL in the file_url parameter with the file path of the system file. It is worth noting that the fetch process is likely managed by nodemailer-fetch.

As a responsible security researcher, I stopped at this point as I was able to demonstrate a proof of concept of the vulnerability.

After identifying the issue, I immediately reported it to the REDACTED security team and followed responsible disclosure procedures. They promptly fixed the issue and confirmed that there was no evidence of any malicious exploitation.

By sharing this experience, I hope to raise awareness about the importance of secure coding practices, regular security assessments and prompt vulnerability remediation.

Stay safe out there,

LOPSEG.

Read Entire Article