Vulnerability impact: Pear HTTP_Upload 1.0. 0b3
Vulnerability type: arbitrary file upload
Pear HTTP_Upload profile:
Pear's HTTP_Upload class library provides a good package of html form file upload handler. Features can handle multiple file upload, easy to check file upload status, limiting undesired file uploads, multi-lingual error message, also no Chinese, but can be extended)
The package comes with a“upload_example.php”file to test the package, when the transmission of“restricted”of the PHP file, the user will receive a similar“unauthorized file transfer”message.
HTTP/Upload.php 488 line:
var $_extensionsCheck = array('php', 'phtm', 'phtml', 'php3', 'inc');
Here you might have thought the use of mixed case will be able to bypass, and then we look down the code 503:
var $_extensionsCaseSensitive = true;
Don't look down don't know for sure this variable is set or something. 874 lines:
* @param bool $case_sensitive whether extension check is case sensitive. * When it is case insensitive, and the extension * is lowercased before compared to the array * of valid extensions.
By the above comments it can be found in this extension is to check whether or not case-sensitive. The default is open, so the use of mixed case is not bypassed.
Then some developers don't know Apache can also handle some file extension
1, PHP. 1 2, PHP.;
Etc file. The next use is very simple.
Upload files name: ext_bypass. php. 1
The following environmental testing:
Sucessfully Tested on: Bitnami wampstack-5.6.29-0. Server version: Apache/2.4.23 (Win64) Sucessfully Tested on: XAMPP for Linux 5.6.8-0 Server version: Apache/2.4.12 (Unix)