Hi, Vendor: Files.com Product: Fat Client Tested version: 3.3.6 but newer version high likely also affected Credit: Balazs Hambalko, IT Security Consultant
This vulnerability was identified and reported promptly to the vendor in April 2020. The answer was they do not see any risk here. Anyway I would like to share my POC video, only for learning purposes. According to the vendor, there is no risk here, on the other hand, I built up a playground and being a Domain Admin I could gain normal user's Files.com storage access. Personally I do not recommend using this solution in an environment where somebody can access your C drive (using Windows Domain or common machines - library, net coffee, and so on...) POC: https://youtu.be/Ay_iYFtPrcs Kind regards, Balazs Hambalko _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
