Hi box,

Here is Shaifullah Shaon (Black_EyE), An Ethical Hacker.

a white hat cyber security researcher from Bangladesh reporting a serious

[3’rd ranking in OWASP] security vulnerability on your system.

I faced a technical security bug called “Aws Open bucket on box”.

I know that box-files is used for file uploads box urgent files and so I did a quick scan for similar buckets and

found aws open bucket as listed bellow. While I can’t confirm if you own it or not, it appears that it is publicly writable

using the aws cli.

Now I exploited it. If you verify more, so you can see my video poc that was unlisted my youtube channel.

list aws open bucket:

box-video

When I tried to write to aws open bucket, I get:

However, when I write to writable open aws bucket, I get:

upload: .poc.html to s3://box-video/poc.html

Poc as Video (Unlisted): https://youtu.be/V_ADlpGVD_w

POC: box-video.s3.amazonaws.com/poc.html

Hopefully the bucket is yours and this isn’t a waste of time. If you do own it, a good thing is the bucket is not publicly

readable and the file appears private by default after being written. However, assuming you own it, the security issue would

be someone writing something malicious and someone on your team unknowingly opening it.

Note: Here bucket is findings by me as open aws bucket. Please resolve this issue. I Hope that, It’s Harmful vuln in your

site and also for your team.

Regards,

Shaifullah Shaon

shaon.durjoy@gmail.com

https://facebook.com/shaifullah01

It’s an Online It Section

Please Subscribe us.




Leave a Reply

Your email address will not be published. Required fields are marked *

Name *
Email *
Website