Unrestricted File upload to Open Redirection on Edmodo – SQLi Basic

Hi Edmodo,

Here is Shaifullah Shaon (Black_EyE), An Ethical Hacker.
a white hat cyber security researcher from Bangladesh reporting a serious
[3’rd ranking in OWASP] security vulnerability on your system.

I faced a technical security bug called “Unrestricted File upload to Open Redirection on Edmodo”.

Now I exploited it. If you verify more, so you can see my video poc that was unlisted my youtube channel.

Let’s follow me,

1. I already Open my Account.
2. go to: https://www.edmodo.com/home#/community/support
3. Create a new post and Upload my edmodo.html that was my coded as attached.
4. Just copy link location after saving post, and paste on url.
5. Here as you see, here is also Redirect to as my wish.
6. Now See Again, I upload a html deface page.

POC:
1. https://api.edmodo.com/files/761018561/download?f=47am4l0yf7rfh676f0jv5towh (Open Redirection Page)
2. https://api.edmodo.com/files/761019044/download?f=e5nbgqujbni3do5u6ylvts84u (Hacked Page)

Please See my Video Poc for understand clearly. Hopefully Those are Very critical issue.
Resolve those issue as soon as possible.

Here is proof as video concept (unlisted): https://youtu.be/FVeszzMJfpc

Thank you
Shaifullah Shaon (Black_EyE)
shaon.durjoy@gmail.com




Leave a Reply

Your email address will not be published. Required fields are marked *

Name *
Email *
Website