Unauthorised file upload in withgoogle.com site


A few days ago I found a bug in a site csfirst.withgoogle.com, which was due to a misconfigured Drupal instance.

After signing up on the site, there was a lot of functionality on it. I decided to test the user profile tab (looking for low hanging fruits like CSRF etc.). Sadly I couldn't find anything important. But looking at my dirsearch results and robots.txt file, I saw quite some interesting endpoints. The original settings page for user profile looked like this:

As you can see, there is nothing interesting here. However, the robots.txt file of the same site had an endpoint `/user/register/`. Going to that endpoint revealed the following functionality:

From there I could upload files upto 30MB in size and gifs, txt files etc. which would get uploaded on the storage server. Many other sensitive options are also available. This was a result of their Drupal instance being configured improperly.

Reward: enlisted in Google Honorable Mentions

Thanks for reading,

Popular Posts