Clearpool
Open IPFS gateway allows hosting arbitrary contents #18
cupid8917
started this conversation in
Bug reports
Replies: 1 comment 1 reply
-
Beta Was this translation helpful? Give feedback.
1 reply
-
|
@cupid8917 thank you for your report. We have applied a patch. |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Clearpool Finance is hosting open IPFS instance on host ipfs-gateway.clearpool.finance. Thus allowing anyone to host any content on the affected host. This allows attacker to get Stored Cross Site Scripting as well as hosting a wallet drainer on the host.
Business Impact
This could allow an attacker to host a fake mint page with wallet drainer thus resulting into funds lost of users.
Steps to Reproduce
QmYSdYGEFM2XgaaWn4d8uQUw64gWxoKBGryfDKNsFfBRvG)
Proof of Concept (PoC)
https://ipfs-gateway.clearpool.finance/ipfs/QmYSdYGEFM2XgaaWn4d8uQUw64gWxoKBGryfDKNsFfBRvG
You will notice that url in browser has been changed to /mint without navigating to make this attack look more legit.
Beta Was this translation helpful? Give feedback.
All reactions