Budibase Arbitrary File Upload Vulnerability Allowing Stored Cross-Site Scripting and Server-Side Request Forgery

An arbitrary file upload vulnerability has been identified in Budibase versions through 3.24.0. This vulnerability exists despite the application allowing users to configure file extension restrictions, which are only enforced at the user interface level. Attackers can bypass these restrictions by intercepting and modifying upload requests with tools such as Burp Suite, allowing them to upload malicious files with disallowed extensions or double extensions. Once uploaded, these files can be exploited to execute various critical attacks, including stored cross-site scripting and server-side request forgery, leading to account takeover, data leakage, and compromise of internal systems.

Impact

Exploitation of this vulnerability allows for arbitrary file uploads, which can be abused to perform multiple critical attacks. Uploaded files can include executable malware, which could be distributed through the application. Additionally, files crafted to exploit server-side request forgery vulnerabilities can be used to make requests to internal services or cloud metadata endpoints, potentially leading to further exploitation or data exposure.

Reproduction

To reproduce this vulnerability, log in to Budibase with an admin account and create a new application. Add a Form component and configure the 'Badge Photo' field to accept only certain file types. After saving the form, log in with a user account that has the 'App User' role. Upload a file by changing its extension to one that is disallowed, such as .svg, and spoof the MIME type to match an accepted file type. Once the file is uploaded, it can be accessed and exploited to demonstrate the vulnerability, such as by triggering a stored cross-site scripting attack.