Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check real mime type when author uploads a file #186

Closed
geoffreykwan opened this issue Nov 4, 2022 · 1 comment · Fixed by #187
Closed

Check real mime type when author uploads a file #186

geoffreykwan opened this issue Nov 4, 2022 · 1 comment · Fixed by #187
Assignees
@geoffreykwan
Labels
released

Comments

@geoffreykwan
Copy link
Member

geoffreykwan commented Nov 4, 2022
edited
Loading

When an author uploads a file that they aren't allowed to in the File Manager, they can spoof (manually change) the Content-Type to allow it to be uploaded.

  1. Download the Burp Suite Community Edition (no need to enter email, just click "Go straight to downloads")
    https://portswigger.net/burp/communitydownload

  2. Install Burp Suite Community Edition

  3. Launch Burp Suite Community Edition

  4. Leave "Temporary project" selected

    • Click "Next"

  5. Use Burp defaults

    • Click "Start Burp"

  6. Configure the proxy

    • Click Proxy tab
    • Click Options tab
    • Under Proxy Listeners, highlight the 127.0.0.1:8080 line
    • Click "Edit"
    • Change port from 8080 to 8081

  7. Launch the browser

    • Click Intercept tab
    • Click "Open browser"

  8. Upload a file that should not be allowed

    • In the Burp browser go to localhost:81
    • Log in as a teacher
    • Open a unit in the Authoring Tool
    • Go to the File Manager view
    • Go back to the Burp application and click "Intercept is off" to turn intercept on
    • Go back to the Burp browser and drag and drop a php file into the File Manager
    • Go back to the Burp application and it should have intercepted the upload request
    • Change
      • Content-Type: application/octet-stream
      • to
      • Content-Type: image/jpeg
    • Click "Forward" button at the top left
    • The file will be uploaded when it shouldn't be

Right now we only look at the Content-Type which can be spoofed. We should try to detect the real mime type instead of relying on the Content-Type value.
@geoffreykwan geoffreykwan self-assigned this Nov 4, 2022
geoffreykwan added a commit that referenced this issue Nov 4, 2022
@geoffreykwan
fix(Authoring): Check real mime type when author uploads a file
3171d81 
#186
@geoffreykwan geoffreykwan mentioned this issue Nov 4, 2022
Merged
@breity breity moved this to Under Review in WISE Development Nov 8, 2022
geoffreykwan added a commit that referenced this issue Nov 9, 2022
@geoffreykwan
refactor(Authoring): Throw IOException in getRealMimeType()
80ea92d 
#186
Repository owner moved this from Under Review to Done in WISE Development Nov 13, 2022
@geoffreykwan
Copy link
Member Author

🎉 This issue has been resolved in version 1.0.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@geoffreykwan geoffreykwan

Labels
released
Projects
WISE Development
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(Authoring): Check real mime type when author uploads a file WISE-Community/WISE-API
1 participant
@geoffreykwan