This bug found in one of Facebook domains (api.techprep.fb.com) could allowed an attacker to upload files to the server. All filetypes were supported that could lead to XSS.
Reproduction Instructions / Proof of Concept
1-Sign up in techprep.fb.com
2-After logging in, the attacker intercept any request to api.techprep.fb.comthen get the _Applicationid
3-The attacker make a POST request to api.techprep.fb.com/parse/files/FILENAME.EXT with the header X-Parse-Application-Id:+(_Applicationid)
and the Content-Type: header then the file content (HTML File or image)
The respond of the request contains the file path
This bug is found because the Parse Server was used without disabling the uploading files feature and without implementing ACL when configuring the server.
Timeline
Dec 21, 2017 — Report Sent
Dec 27, 2017 — Further investigation by Facebook
Jan 22, 2018 — Fixed by Facebook
Jan 24, 2018 — Bounty Awarded by Facebook