3

We've got a client who uses Wufoo for their website's forms. One of their forms contains a file upload feature, this is set in Wufoo to place the uploaded file into a Dropbox folder. This Dropbox folder is syncs to a office clerks computer, so any uploaded file ends up on the office clerks computer.

All computers in computers that are shared with this Dropbox folder are Macs.

There is obviously an issue where someone can now place a file on the computer, but is this more dangerous than someone knowing your email address as anyone can send you a email with an attachment.

Is there any potential security issue where some one could upload a malicious file that would then execute ? Or any other potential issues ?

If so is there anyway i could tighten this without losing functionality ?

sam
  • 556
  • 4
  • 14
  • The issue here is that the admin apparently syncs the data. This is highly insecure, mostly because the r-services are all vulnerable (TCP ports 512-514). I also see no reason to do this. – AdHominem Jan 31 '16 at 17:22
  • @AdHominem - appologies bad choice of words on my behalf, when i wrote admin i meant as in an office administrator / office clerks, not a system admin. Ive updated the question to make it clearer. – sam Jan 31 '16 at 17:36
  • Just run a seamless ( on good hardware of course) virtualized OS with an "weird" OS like BSD systems and have it to synchronize the dropbox folder there. Only open the files there. If you really need the files on other machines convert the files if possible to another format twice and scan them with antivirus, then they should be clear to share with low and medium security systems. – Freedo Feb 01 '16 at 01:29

1 Answers1

2

Yes, that is very dangerous. Because the attacker is able to place a file directly on the disk simply viewing directory contents can infect the machine. For example:

I assume that computer syncing with dropbox is running Windows. Windows shows preview Images for all files (e.g. Word documents, text files, images, ...). Those are generated based on the contents of the file. Any file can exploit a vulnerability in such a thumbnail-generator when the user opens the directory in windows explorer.

In addition to that, all security risks that apply to email attachments also apply to this scenario (malicious Word macros, etc..)

marstato
  • 2,315
  • 15
  • 11
  • actually all computers that have access to this Dropbox folder are Macs, does that make any difference to your above answer ? Is this any more of a threat than email attachments - does having the file in your OS file system as opposed to in your email client effect how its handled ? – sam Jan 31 '16 at 20:43
  • AFAIC Mac does not create such thumbnails as naively as windows; but it does an thus is potentially vulnerable. However, the risk when actually opening the files with an application is magnitudes greater on both windows and mac. – marstato Jan 31 '16 at 20:46