oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Arbitrary File Upload File Upload Vulnerability in php-traditional-server v1.2.2

From: "Larry W. Cashdollar" <larry0 () me com>
Date: Tue, 20 Nov 2018 17:08:59 -0500
Title: Arbitrary File Upload File Upload Vulnerability in php-traditional-server v1.2.2
Author: Larry W. Cashdollar, @_larry0
Date: 2018-11-15
CVE-ID:[CVE-2018-9209]
CWE: CWE-434 Arbitrary File Upload
Download Site: N/A
Vendor: FineUploader
Vendor Notified: 2018-11-15, software discontinued. 

Advisory: http://www.vapidlabs.com/advisory.php?v=208

Description: PHP-based server-side example for handling traditional endpoint requests from Fine Uploader

Vulnerability:
The code in endpoint.php allows file uploads and doesn't check if the users authenticated or the file type.  This 
allows for executable files to be uploaded and therefore remote code execution. 

Lines 37-38 from endpoint.php:

37: // Specify the list of valid extensions, ex. array("jpeg", "xml", "bmp")
38: $uploader->allowedExtensions = array(); // all files types allowed by default

Exploit Code:
https://github.com/lcashdol/Exploits/tree/master/CVE-2018-9209
Previous By Date Next
Previous By Thread Next

Current thread: