Nextcloud: Avatar image upload and bypass real image verification

2016-06-18T01:50:10
ID H1:145604
Type hackerone
Reporter dremos
Modified 2017-01-15T22:07:23

Description

Hi

We can bypass Avatar Upload image verification and extension uploading a php file or any other extension binding a valide jpeg image , there is no risk for the moment because the avatar is renamed to avatar_upload on the remote server , but it ll be nice to secure this part of code .

Example

here is the same file with two different extension :

http://91.121.108.101/image1.jpg http://91.121.108.101/image1.php <== execute php code inside the image

1) download image1.jpg

2) as you can see if you open the file image1.jpg file on notepad it hide php code ( phpinfo(); function in this case .

3) rename image1.jpg to image1.php , and try to upload it on the avatar upload form , it pass the verification .

This verification is not enought in this file : /core/controller/avatarcontroller.php

if ($image-&gt;valid()) {
            $mimeType = $image-&gt;mimeType();
            if ($mimeType !== 'image/jpeg' && $mimeType !== 'image/png') {
                return new DataResponse(
                    ['data' =&gt; ['message' =&gt; $this-&gt;l-&gt;t('Unknown filetype')]],
                    Http::STATUS_OK,
                    $headers
                );
            }