Skip to content

Latest commit

 

History

History

Unrestricted File Upload

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 

Unrestricted File Upload

By default, in the config.php files, the application allows upload files containing dangerous types, such as SVG and PDF.

<?php return <<< JSON
{
    "AM_ALLOWED_FILE_TYPES": "dmg, iso, rar, tar, zip, aiff, m4a, mp3, ogg, wav, ai, dxf, eps, gif, ico, jpg, jpeg, png, psd, svg, tga, tiff, avi, flv, mov, mp4, mpeg, css, js, md, pdf",
    "AM_CACHE_ENABLED": true,
    "AM_CACHE_LIFETIME": 43200,
    "AM_CACHE_MONITOR_DELAY": 120,
    "AM_DEBUG_ENABLED": false,
    "AM_FEED_ENABLED": true,
    "AM_FEED_FIELDS": "+hero, +main",
    "AM_FILE_GUI_TRANSLATION": "",
    "AM_HEADLESS_ENABLED": false
}
JSON;

The application also not validate the content type, as shown in the code snippets below are associated with the upload method in the FileCollectionController.php file, located at src\UI\Controllers

/** src\UI\Controllers\FileCollectionController.php **/

public static function upload() {
		$Automad = UICache::get();
		Debug::log($_POST + $_FILES, 'files');

		// Set path.
		// If an URL is also posted, use that URL's page path. Without any URL, the /shared path is used.
		$path = FileSystem::getPathByPostUrl($Automad);

		return FileCollectionModel::upload($_FILES, $path);
	}

Model: FileCollectionModel.php

public static function upload(array $files, string $path) {
		$Response = new Response();

		// Move uploaded files
		if (isset($files['files']['name'])) {
			// Check if upload destination is writable.
			if (is_writable($path)) {
				$errors = array();

				// In case the $files array consists of multiple files (IE uploads!).
				for ($i = 0; $i < count($files['files']['name']); $i++) {
					// Check if file has a valid filename (allowed file type).
					if (FileSystem::isAllowedFileType($files['files']['name'][$i])) {
						$newFile = $path . Str::slug($files['files']['name'][$i]);
						move_uploaded_file($files['files']['tmp_name'][$i], $newFile);
					} else {
						$errors[] = Text::get('error_file_format') . ' "' .
									FileSystem::getExtension($files['files']['name'][$i]) . '"';
					}
				}

				Cache::clear();

				if ($errors) {
					$Response->setError(implode('<br />', $errors));
				}
			} else {
				$Response->setError(Text::get('error_permission') . ' "' . basename($path) . '"');
			}
		}

		return $Response;
	}

This issue allow pentester to upload a SVG or PDF file contains malicious content to execute arbitrary JS code which acts as a stored XSS payload.

SVF File:

1

2

PDF File:

3

4