Describe the bug
Attacker can upload files with dangerous types to the OpenDocMan 1.4.4 via add.php using MIME-bypass.
File is available under specific ID, which is returned in response from application.
To Reproduce
Steps to reproduce the behavior:
Login to the application
Click on "Add Document"
Create a file named "example.php.gif" containing string: GIF89a;<?php echo shell_exec($_GET['cmd']); ?>
The document is being successfully uploaded and the Location header is describing the location of the file.
The file is available under provided ID with .dat extension under /document_repository directory.
Expected behavior
Application should reject the file based on the magic bytes provided.
Screenshots
Step 1: Adding the document with malicious content.
Step 2: Retrieving the content.
Versions (where applicable):
OpenDocMan: 1.4.4
MySQL: 10.4
PHP: 7.0
Web Server Type: Apache
Web Server Version: 2.4.51
OS: [e.g. iOS] Kali Linux/Debian
Browser [e.g. chrome, safari] Firefox
Browser Version [e.g. 22] 91.5.0esr
The text was updated successfully, but these errors were encountered:
Describe the bug
Attacker can upload files with dangerous types to the OpenDocMan 1.4.4 via add.php using MIME-bypass.
File is available under specific ID, which is returned in response from application.
To Reproduce
Steps to reproduce the behavior:
GIF89a;<?php echo shell_exec($_GET['cmd']); ?>Expected behavior
Application should reject the file based on the magic bytes provided.
Screenshots
Step 1: Adding the document with malicious content.
Step 2: Retrieving the content.
Versions (where applicable):
The text was updated successfully, but these errors were encountered: