Recent searches


No recent searches

Unrestricted File Upload Vulnerability

Planned


Posted Apr 09, 2020

zendesk, allows any arbitrary file to uploaded. This highly makes application vulnerable to several type of attacks.  I found that by domain/application is vulnerable because it allows all type file to be uploaded while creating a ticket. As you can see in attached image, I've uploaded firefox installer.exe.

 

As an impact, attacker can exploit this vulnerability in many ways to perform malicious activity. Attacker can create a ticket and upload malware(virus, worm, ransomware etc.). Later, when the ticket is handled by support person, he/she will check the ticket and open the file. This file can be installed in the system and perform many malicious activities. It can compromise the system, and/or entire network depend on the malware.

Ideally as a solution, only limited set/type of files should be allowed for upload such as jpg, png, .txt etc. Kindly let me know your feedback on this, and if this falls in your scope.

Security is not a choice any more and this should be implemented/fixed ASAP.


3

10

10 comments

Official

image avatar

Max McCal

Zendesk Product Manager

UPDATE: We're no longer looking for volunteers, but are still working on this solution, and expect to have something to show for it in early 2022.

 

Hey, all --

Dropping in to this thread to mention that we are actively working on a Malware Scanning tool in Zendesk, and we're looking for some customer eyes to come see what we're planning. If you're willing to give us 30 minutes of your time, you can sign up here for a time on my calendar. We'll show you some of our plans and ask for your opinions. 

While we're not currently working on file type restrictions, that is something that we're looking into as a future release.

1


image avatar

Caroline Kello

Zendesk Product Manager

Hello,

Thanks for reaching out. Together with our Product Security team we're currently looking into what we can do for malware attachment scanning, regardless of attachment origin. Currently we only offer scanning for email attachments so you're correct that there's more we should do from a product security standpoint. 

Thanks for raising this, 

Caroline

0


The file type restrictions are not working in the contact form. This should be easy to fix.

0


Hi there. Any update on this security issue? This was flagged as a security issue during a recent audit. 

0


PS: I believe there is a typo in the original post.

Original: I found that by domain/application...

Likely intent: I found that my domain/application...

0


Hi,

Will this solution apply to uploads to Gather (community) posts?

Thanks,

Phil

0


Max McCal - Hi, is there any update on this? Like many above and in separate posts, this has been flagged as a concern through a security audit.

0


image avatar

Chika Chima

Zendesk Product Manager

Hi! Ben Steele

Thank you for your question and concerns!

We are working to rollout the Malware Scanning feature towards the beginning of June 2022. There will be more information here on the help center soon.

-1


Hi Chika Chima

Will this rollout allow uploads to Gather (community) posts?

Thanks,

Phil

0


image avatar

Chika Chima

Zendesk Product Manager

Hi Phil,

Unfortunately it is not on this first release. For future releases, we are looking into more integrations of products

-1


Please sign in to leave a comment.

Didn't find what you're looking for?

New post