With over 83.000 registered users and about 35.000.000 uploaded pictures abload.de is one of the biggest hoster for pictures in Germany. The service is online since 2006 and is very popular because of its usability and a big selection of options to modify the uploaded picture (image resizing, advanced options, etc.). Often those popular webapplications are in the scope of criminals who are interested in the userdata.
Sometimes we are in the mood of having a quick look at such websites followed by a responsible disclosure of the findings to the webmaster. We found an XSS in the rename functionality and after submitted this bug it has been fixed by the developers in a couple of minutes. There were huge problems handling privileges thus leading to some interesting horizontal privilege escalations.
The function responsible for cropping images protected the image data with a “key”-parameter. Unfortunately this parameter was not validated correctly. This allowed us to crop every uploaded picture to a size of 1x1 pixels. Furthermore there were some CSRF vulnerabilites. A lot of AJAX-Requests and thus a majority of all activities were not protected against CSRF. This allowed us to delete a users galleries just as well to create or rename new gallieries. It was also possible to delete / rename pictures if you knew the picture title. The team told us that nobody actively exploited these issues.
We have sent a very long email containg all information to the support on the 30th of february 2013. They have quickly replied and asked for a call in which we talked about the next steps. During the fixing process they have discovered a SQL injection bug which was fixed immediately.
We would like to thank the abload.de team for the great communication process and the appropiate fixes.
Update (4th of mai 2013): The Abload team was so kind to put a backlink on their “team”-page ( http://www.abload.de/team.php ).
Screenshot:
