When a file is uploaded it gets stored in said storage let suppose its S3 in our case and rocket.chat server returns a link of same host which redirects to s3 file location. Having this in mind, we can look for any open redirects in the rocket.chatįortunately rocket.chat allows file uploads, it uses different kinds of file storages like S3, Gcloud, and Webdav.
Rocket.chat desktop allows same host navigation which means any links to the same host will be opened in rocket.chat desktop itself. Rocket.Chat had issued a statement and a fix: The vulnerability has been reported to Rocket.Chat in Sep 2021, at the beginning the vendor was very responsive and worked on a patch, in Oct 2021, a new version of Rocket.Chat has been released that fixed the initial vector – but didn’t fix the overall problem – minimal modifications to the vector allows bypassing of the mitigation, no subsequent communication sent – with a warning that the fix was incomplete – out to the vendor received any response.Īs far as we know Rocket.Chat client is still vulnerable to attack through the aforementioned vulnerability.
Find out how a vulnerability in Rocket.Chat client allows remote attackers to cause a victim clicking on a seemingly harmless link to execute arbitrary commands.Ī vulnerability in Rocket.Chat allows remote attackers targeting clients using the chat program to execute arbitrary commands on the client-side by only requiring the victim to click on a seemingly harmless link (the link itself does not contain the attack vector).Īn independent security researcher has reported this bypass to the SSD Secure Disclosure program.
0 kommentar(er)
