MediaCrush Unrestricted File Upload Vulnerability Allowing Denial-of-Service

A vulnerability in MediaCrush versions through 1.0.1 allows remote, unauthenticated attackers to upload arbitrary files of any size to the '/upload' endpoint. This unrestricted file upload capability, combined with the absence of MIME type validation and rate limiting, can lead to a denial-of-service condition. The vulnerability arises from inadequate input validation in the Flask-based upload handler, allowing uploaded files to consume disk space, overwhelm Redis and Celery workers, and crash the application.

Impact

Exploiting this vulnerability fills the disk storage, crashes the application by causing out-of-memory errors, and disrupts normal upload and media serving functions. Additionally, if the storage is cloud-backed, such as with AWS S3, it can lead to significant billing costs.

Reproduction

To reproduce this vulnerability, upload a large file to the '/upload' endpoint of a MediaCrush instance using a tool like 'curl' or a Python script. The uploaded file will fill the disk storage, crash the application, and spike Redis memory usage.

Remediation

Users are advised to enforce server-side upload size limits using Flask's MAX_CONTENT_LENGTH configuration and web server directives. Implementing proper file validation and rate limiting can also help prevent resource exhaustion. As MediaCrush is unmaintained, users should consider forking the project to apply patches or avoid deployment.