Description

An administrator user can use the easyUpload function to create files in any path of the system where the application has write permissions.

This vulnerability arises because the application is using user input to build the file path and does not properly validate this input.

Proof of Concept

The vulnerable php code is in core/functions.php, on method easyUpload.

This functions receives 4 parameters:

-The file itself

-The path of the file

-The new name for the file –> In some cases, it is empty and is generated randomly

-The type of the file –> Used correctly for File Type validation

Without any validation, the file is created on the File System using this construction, as we can see in line 1569 and 1583:

UPLOAD_BASE_PATH + $location + $filename + $extension

The function easyUpload is used in multiple places and in some of them, it receives parameters that are directly passed from request input.

We can see an example on module/products/ajax.php, on line 524.

There, easyUpload is receiving this parameters:

array $file, 
string $location="products/{$_POST["productCode"]}",
string $newFileName=join("-", $pv) . "_" . $_POST["productVariationCode"][$vKey],
string $type="image"

As we can see, the location and the newFileName are constructed with $_POST variables. We can then craft a malicious request with a Path Traversal on productVariationCode parameter, as shown in the image:

../../../../../../../../../../../../../../var/www/html/bumsys/inventedPath

We have printed the real path that is being used to create the image:

/var/www/html/bumsys/assets/upload/products/1242142141241241245/Red_../../../../../../../../../../../../../../var/www/html/bumsys/inventedPath.jpg

As we can see, the image has been uploaded on the file system path:

Another example is on module/peoples/ajax.php, on line 522.