Pentaho Business Analytics / Pentaho Business Server 9.1 Filename Bypass

Posted by deepcore on November 6, 2021 – 10:42 pm

Pentaho allows users to upload various files of different file types. The upload service is implemented under the /pentaho/UploadService endpoint. The file types allowed by the application are csv, dat, txt, tar, zip, tgz, gz, gzip. When uploading a file with an extension other than the allowed file types, the application responds with the error message of UploadFileServlet.ERROR_0011 – File type not allowed. Allowable types are csv,dat,txt,tar,zip,tgz,gz,gzip. However, the file extension check can be bypassed by including a single dot “.” at the end of the filename.

This post is under “exploit” and has no respond so far.
If you enjoy this article, make sure you subscribe to my RSS Feed.

Post a reply

You must be logged in to post a comment.

« Backdoor.Win32.Ncx.b Buffer Overflow Payment Terminal 2.x / 3.x Cross Site Scripting »

:: Deepquest ::

This site contains information which could be considered illegal in some countries. It is provided here for educational use only and is not intended to be used for illegal activities.

Pentaho Business Analytics / Pentaho Business Server 9.1 Filename Bypass

Post a reply

Tabs Switcher

Categories

Archives

Meta

BLOGROLL