-
Notifications
You must be signed in to change notification settings - Fork 367
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
remote code execution vulnerability in ajax_calls.php in save_img action because of no validation on extension name. #600
Comments
cve assinged: CVE-2020-10567 |
Hello @hackoclipse, I am unabe to reproduce. Which version has this vulnerability? Regards EDIT: It seems that older versions are not affected by this issue. |
it still works in the newest version. |
Hi @hackoclipse thanks for clarifying that. I confirm it works on latest version. I was testing an older version and it did not work because the upload of Regards |
yeah im on the moment looking at the code and your right in 9.13.4 the code was a bit different and it checked for a aws bucket. |
On versions <= 9.13.0 (at least) it is possible to upload files by specifying There's also SSRF on |
yep thats why i won't reccomand using it at all. your intresting @joaovarelas maybe you should join the bug bounty hunters server: |
how you can inject php code to image file? |
hello, I explored this some time ago, but I think it was uploading a HTML-crafted file with PHP code inside |
is it work for version 9.14.0? |
was a different one. |
hi there, i've try your PoC and its work, but when i try use my payload php (not phpinfo) and then i injected the code to image file using exiftool and i encode the image using base64 encoder, but when i access my file contain php payload it getting 500 error. thank you sorry for my bad english |
poc was minimized for a reason as anti script kiddie protection. |
Hello, I can add your telegram? |
after taking another look at your application i noticed in the ajax_calls.php file in the "save_img" action that the "name" parameter doesn't validate the extension of the file.
this makes it possible to upload php files to the server even when this normaly should not be allowed.
there was a miner validation to check if the data from the "url" parameter started with "data:image/jpeg;base64," and that the base64 encoded image is a valid image.
a simple work arround to bypass this check is to upload a valid jpeg image, but that inside of exif data a php tag is send.
this makes it possible to send php code and that the extension becomes php what let to remote code execution.
As poc i will send a normal image where the base64 encoded image contains phpinfo() as php code.
here is a simple javascript POC that will send a POST request to the page "http://192.168.0.29:3001/filemanager/ajax_calls.php?action=save_img" where the "path" parameters is empty, the url contains my image with phpinfo in the exif data and the name is set to poc.php.
you will need to change the ip and port to your webserver and this code has to be runned on the filemanagers dialog.php page, because the session is validated and by running the code from the dialog page than the session is set and you won't get error's.
if you run this command from the browsers console in the dialog page than a new file would be created in the /source/ folder called poc.php. ( UPLOAD_DIR )
than just go to "http://YOURURL/source/poc.php" and you will see the phpinfo() code executed.
here a copy of the burp request:
and here a copy of the image urldecoded:
A CVE has been requested and a potential fast patch is to dissable save_img in the config file.
The text was updated successfully, but these errors were encountered: