nodebb-plugin-imgur icon indicating copy to clipboard operation
nodebb-plugin-imgur copied to clipboard
verified publisher icon barisusakli

Vulnerability through remote upload

Open wzrdtales opened this issue 10 years ago • 3 comments

Currently it is not possible to either, set a proxy for remote file uploads nor to disable remote file uploads if using this plugin.

This opens a vulnerability that discloses the server ip to an attacker in a reverse proxy setup.

wzrdtales avatar Nov 23 '15 19:11 wzrdtales

Currently the only condition to trigger this seems just to be the upload plugin, but not any realy settings.

        <!-- IF config.hasImageUploadPlugin -->
        <div class="btn-group" role="group">
                <button type="button" class="btn btn-default" data-action="upload-url">[[user:upload_new_picture_from_url]]</button>
        </div>
        <!-- ENDIF config.hasImageUploadPlugin -->

wzrdtales avatar Nov 23 '15 19:11 wzrdtales

The same goes for the upload function itself:

                if (!plugins.hasListeners('filter:uploadImage')) {
                        return callback(new Error('[[error:no-plugin]]'));
                }

wzrdtales avatar Nov 23 '15 19:11 wzrdtales

Notes to this, this is a very known and common attack pattern for a very common protection scenario against DDoS.

wzrdtales avatar Nov 23 '15 19:11 wzrdtales