Bug: S3 Bucket misconfiguration at https://github.com/rarible/service-core.git can lead to XSS or arbitrary malicious code injection i.e overwritten permission granted to other user.

[bhartisaurav]

S3 Bucket misconfiguration at https://github.com/rarible/service-core.git can lead to XSS or arbitrary malicious code injection i.e overwritten permission granted to other user.

Hi Team,
Hope Everything is going well on your side.

Recenlty, While going through your github code i came across a s3 bucket i.e.:

Bucket: https://s3.us-west-2.amazonaws.com/sing.serve

Somehow this bucket has overwritten permission but not have listing permission to other users which could be fatal for organization as it could easily lead to XSS or arbitrary malicious code at your developer/user end because attacker can host its malicious files at your s3 bucket. So, this issue must be resolved immediately.

Steps to reproduce:

1. Go to github repo: https://github.com/rarible/service-core.git

2. search bucket: sing.serve

3. Write test file at s3 bucket.

4. Over write the same test file with other file at public s3 bucket.

POC:

1. Write test file at public s3 bucket:

2. See the written content:

3. Overwrite another file at public s3 bucket:

4. See the overwritten content:

Impact of this vulnerability:

• Malware Hosting: Attackers have uploaded malware to open buckets, leveraging them to distribute harmful software could lead to XSS or arbitrary malicious code inject which could be fatal for organization.
• Increased Storage Costs: Abusers may upload large files or use the bucket for illegal purposes, significantly increasing AWS costs.
• Customer Trust: If sensitive files or applications hosted in the bucket are tampered with, customers may lose confidence in the company.
• Website Defacement: Open buckets hosting static websites have been exploited to deface content or inject malicious scripts.
• Data Leaks: Several high-profile data breaches occurred due to misconfigured S3 buckets, exposing millions of sensitive records.

Remediation:

• In your aws s3 dashboard, change the s3 bucket policy of this bucket so that other users cannot write/or access it.

Thanks & Regards,

[bhartisaurav]

Apart from this, i also found two unclaimed s3 buckets inside test directory of repo: https://github.com/rarible/flow-indexer-public/blob/77c6647518388577a718bdde505b3757cc716463/api/src/test/kotlin/com/rarible/flow/api/meta/provider/legacy/FanfareMetaProviderTest.kt#L31C13-L32C100

buckets: nftfm-videos, fanfare-songs

It will be good if these bucket removed from the test.

Note: I am unable to report these bugs on your bug bounty program as you have closed it, so I reported it here

@evgenynacu