An administrator user can use the easyUpload
function to create files in any path of the system where the application has write permissions.
This vulnerability arises because the application is using user input to build the file path and does not properly validate this input.
The vulnerable php code is in core/functions.php
, on method easyUpload
.
This functions receives 4 parameters:
-The file itself
-The path of the file
-The new name for the file –> In some cases, it is empty and is generated randomly
-The type of the file –> Used correctly for File Type validation
Without any validation, the file is created on the File System using this construction, as we can see in line 1569 and 1583:
UPLOAD_BASE_PATH + $location + $filename + $extension
The function easyUpload
is used in multiple places and in some of them, it receives parameters that are directly passed from request input.
We can see an example on module/products/ajax.php
, on line 524.
There, easyUpload
is receiving this parameters:
array $file,
string $location="products/{$_POST["productCode"]}",
string $newFileName=join("-", $pv) . "_" . $_POST["productVariationCode"][$vKey],
string $type="image"
As we can see, the location and the newFileName are constructed with $_POST
variables. We can then craft a malicious request with a Path Traversal on productVariationCode
parameter, as shown in the image:
../../../../../../../../../../../../../../var/www/html/bumsys/inventedPath
We have printed the real path that is being used to create the image:
/var/www/html/bumsys/assets/upload/products/1242142141241241245/Red_../../../../../../../../../../../../../../var/www/html/bumsys/inventedPath.jpg
As we can see, the image has been uploaded on the file system path:
Another example is on module/peoples/ajax.php
, on line 522.