最近搜索


没有最近搜索

Login Test's Avatar

Login Test

已加入2021年4月15日

·

最后活动2021年10月22日

关注

0

关注者

0

活动总数

2

投票

0

订阅

1

活动概览

的最新活动 Login Test

Login Test 创建了一个帖子,

帖子 Feedback - Ticketing system (Support)

zendesk, allows any arbitrary file to uploaded. This highly makes application vulnerable to several type of attacks.  I found that by domain/application is vulnerable because it allows all type file to be uploaded while creating a ticket. As you can see in attached image, I've uploaded firefox installer.exe.

 

As an impact, attacker can exploit this vulnerability in many ways to perform malicious activity. Attacker can create a ticket and upload malware(virus, worm, ransomware etc.). Later, when the ticket is handled by support person, he/she will check the ticket and open the file. This file can be installed in the system and perform many malicious activities. It can compromise the system, and/or entire network depend on the malware.

Ideally as a solution, only limited set/type of files should be allowed for upload such as jpg, png, .txt etc. Kindly let me know your feedback on this, and if this falls in your scope.

Security is not a choice any more and this should be implemented/fixed ASAP.

已于 2020年4月09日 发布 · Login Test

3

关注者

11

投票

10

评论