Summary

An arbitrary file upload vulnerability exists even though file extension restrictions are configured. An attacker can bypass these restrictions and upload malicious files, leading to multiple critical attacks including Stored XSS and SSRF. This can result in account takeover, data leakage, and compromise of internal systems.

Details

However, this restriction is enforced only at the UI level. When the upload request is intercepted and modified using tools like Burp Suite, it is possible to bypass the extension filter and upload arbitrary and potentially malicious files.

By modifying the request:

1. Files with disallowed extensions such as .html, .svg, .php, .exe, .msi, .bat, .cmd, etc., can be uploaded.
2. Double extensions like payload.png.html, image.jpg.svg, or file.png.exe are accepted.
3. MIME type can be spoofed (e.g., setting Content-Type: image/png while sending malicious or executable content).
4. After upload, the file is successfully stored and accessible, which confirms that the backend does not properly validate the file type based on real extension, MIME type, or file content.

This arbitrary file upload can then be abused to perform multiple critical attacks:

• Stored XSS:
  Uploading HTML or SVG files with JavaScript causes stored XSS when any user views the uploaded file.

• Malware Distribution:
  Executable files such as .exe, .msi, .bat, etc., can be uploaded and shared, leading to malware distribution through the application.

• SSRF:
  Specially crafted files (e.g., SVG/HTML referencing external URLs) can force the server to make requests to attacker-controlled or internal URLs.

This shows that even though file extension restrictions are configured in the form component to prevent dangerous file types, they are not enforced securely on the backend, leading to arbitrary file upload and multiple critical vulnerabilities.

PoC

1. Log in using an admin account and create a new application. Add a Form component, then locate the “Badge Photo” field and click on the settings (gear) icon for that field.

2. Observe that we have configured the valid file extensions according to the documentation at
   https://docs.budibase.com/docs/attachment

3. Now log in using a user account that has only the “App User” role, not an admin role.

4. Navigate to the application and fill the required details as per highlighted.

5. Click on the "File Upload" and observe that only jpg, png, gif, webp files are allowed.

6. Now upload valid file and change the extension from ".jpg" to ".svg" and change the content-type to "image/svg+xml". Append the below payload in the body.

<svg xmlns="http://www.w3.org/2000/svg" width="400" height="400" viewBox="0 0 124 124" fill="none">
<rect width="124" height="124" rx="24" fill="#000000"/>
   <script type="text/javascript">  
      alert(0x539);
   </script>
</svg>

7. Observe that the svg file was attached successfully. Click on the save and observe that successfully form was saved without any error.

8. Now from the admin user, navigate to submitted data and click on the badge photo.

9. Right click on that image and copy the link address. Open the pasted link on the browser and observe that popup was triggered. Its and instance of Stored XSS.

10. Now using the same method upload the malicious file and observe that file was downloaded file from the admin account.

11. Using the same method, append the SSRF payload to the uploaded file. If that file is opened by an admin user, we will be able to capture the IP address of that admin user.

Impact

This vulnerability allows an attacker to upload and store arbitrary files despite file extension restrictions being configured in the application. As a result, the attacker can abuse the upload functionality to perform multiple critical attacks.

Account Takeover:
Stored XSS can be used to steal session cookies or tokens of users and administrators, allowing full account compromise.

Remote Code and Malware Distribution:
Malicious executable files such as .exe, .msi, .bat, etc., can be uploaded and shared, turning the application into a malware distribution platform.

Internal Network Exposure:
Through SSRF, the attacker can force the server to make requests to internal services, cloud metadata endpoints, or private IP ranges.

Data Theft and Privacy Breach:
XSS and SSRF can be used to steal sensitive user data, internal tokens, configuration details, and other confidential information.

Overall, this vulnerability represents a critical risk as it enables multiple attack vectors from a single entry point and can lead to complete compromise of users, data, and internal infrastructure.