Pear HTTP_Upload 1.0. 0b3 - arbitrary file upload
2017-02-09T00:00:00Type seebug
Reporter 孤独风
Modified 2017-02-09T00:00:00
Description
Vulnerability description
Vulnerability impact: Pear HTTP_Upload 1.0. 0b3
Download: https://pear.php.net/manual/en/package.http.http-upload.php
Vulnerability type: arbitrary file upload
Pear HTTP_Upload profile:
Pear's HTTP_Upload class library provides a good package of html form file upload handler. Features can handle multiple file upload, easy to check file upload status, limiting undesired file uploads, multi-lingual error message, also no Chinese, but can be extended)
Vulnerability details
The package comes with a“upload_example.php”file to test the package, when the transmission of“restricted”of the PHP file, the user will receive a similar“unauthorized file transfer”message.
HTTP/Upload.php 488 line:
var $_extensionsCheck = array('php', 'phtm', 'phtml', 'php3', 'inc');
Here you might have thought the use of mixed case will be able to bypass, and then we look down the code 503:
var $_extensionsCaseSensitive = true;
Don't look down don't know for sure this variable is set or something. 874 lines:
* @param bool $case_sensitive whether extension check is case sensitive.
* When it is case insensitive, and the extension
* is lowercased before compared to the array
* of valid extensions.
By the above comments it can be found in this extension is to check whether or not case-sensitive. The default is open, so the use of mixed case is not bypassed.
Then some developers don't know Apache can also handle some file extension
1, PHP. 1
2, PHP.;
Etc file. The next use is very simple.
Upload files name: ext_bypass. php. 1
The following environmental testing:
Sucessfully Tested on: Bitnami wampstack-5.6.29-0.
Server version: Apache/2.4.23 (Win64)
Sucessfully Tested on: XAMPP for Linux 5.6.8-0
Server version: Apache/2.4.12 (Unix)
