Unrestricted File Upload

digitalfactory · July 4, 2024, 9:24am

Description

It was observed the application allows users to upload files and was discovered to have insufficient safeguards to ensure the uploaded file is not malicious. Malicious files that are uploaded could have a wide range of effects depending on the affected application such as storing malware or gaining access via command execution.

Understand from this documentation clamav integration via the marketplace, but since we are on air-gapped, is there any other possible way?

Any help would be appreciated!

Steps to reproduce:

1. Login as any user to the application at a self-hosted URL.
1. Start a conversation with any user by using the search function (Magnifying glass icon in on the top left) and selecting any other user.
1. Select the “Upload File” button (Paperclip icon) just below the message box.
1. Select any file to upload and click “Send”.
1. Observe that a HTML containing an XSS payload and an EICAR file could be successfully uploaded and downloaded by users.

Server Setup Information

Version of Rocket.Chat Server: v6.9.2
Operating System: Linux System
Deployment Method: Docker
Number of Running Instances: 1 Server & 1 Database instance
NodeJS Version: 14.21.3
MongoDB Version: 6.0.15

Any additional Information

Things to note:

We are running rocketchat integration with LDAP
We are running a community version
We are on an air-gapped controlled server

reetp · July 4, 2024, 1:24pm

I think you ought to read here.

github.com/RocketChat/Rocket.Chat

Media Type Not Accepted

opened 06:51AM - 06 Mar 24 UTC

closed 11:09AM - 14 Jun 24 UTC

DustpaN-Spb

Look like a last change is a error Because Was: invalidContentType: Boolean…(file.type && !fileUploadIsValidContentType(file.type)), Now: invalidContentType: !(file.type && fileUploadIsValidContentType(file.type)), If we can't detrminate a MIME type of a file (file.type) it will return a false and all not recognised types will be not work at all even if "Accepted Media Types" is empty. Please revert https://forums.rocket.chat/t/cant-upload-ovpn-file/19455 _Originally posted by @DustpaN-Spb in https://github.com/RocketChat/Rocket.Chat/issues/31346#issuecomment-1975862098_

Also check “Blocked” and “Accepted media types” in Settings, File Upload.

If you are paranoid either disable uploads - the only really acceptable solution - or limit them.

If you are air gapped, but users can still upload files, you might have to ask yourself what are trying to protect?

I think apps need online access for install.

Search here for ‘offline apps’ or similar.

Also

https://docs.rocket.chat/docs/rocketchat-marketplace

You might also consider using a local file store (you should not be using GridFS for production) and you can then run a local AV scanner on it?

Topic		Replies	Views
Can't upload ovpn file Community Support	3	477	May 23, 2024
Media upload Issue Community Support	2	245	May 23, 2024
Media Type Not Supported despite not setting restrictions Community Support	4	498	May 24, 2024
Unable to attach .zip file Community Support	0	2197	May 10, 2020
Can't find FileUpload settings Community Support	1	427	August 14, 2023

[Rocket.Chat v7.0: Join the webinar] Roadmap Reveal: on-prem AI, VoIP, and more! Save your seat ->

Unrestricted File Upload

Description

Server Setup Information

Any additional Information

Related topics