Pear HTTP_Upload 1.0. 0b3 - arbitrary file upload

2017-02-09T00:00:00
ID SSV:92668
Type seebug
Reporter 孤独风
Modified 2017-02-09T00:00:00

Description

Vulnerability description

Vulnerability impact: Pear HTTP_Upload 1.0. 0b3

Download: https://pear.php.net/manual/en/package.http.http-upload.php

Vulnerability type: arbitrary file upload

Pear HTTP_Upload profile:

Pear's HTTP_Upload class library provides a good package of html form file upload handler. Features can handle multiple file upload, easy to check file upload status, limiting undesired file uploads, multi-lingual error message, also no Chinese, but can be extended)

Vulnerability details

The package comes with a“upload_example.php”file to test the package, when the transmission of“restricted”of the PHP file, the user will receive a similar“unauthorized file transfer”message.

HTTP/Upload.php 488 line:

var $_extensionsCheck = array('php', 'phtm', 'phtml', 'php3', 'inc');

Here you might have thought the use of mixed case will be able to bypass, and then we look down the code 503:

var $_extensionsCaseSensitive = true;

Don't look down don't know for sure this variable is set or something. 874 lines:

 * @param bool $case_sensitive whether extension check is case sensitive.
 * When it is case insensitive, and the extension
 * is lowercased before compared to the array
 * of valid extensions.

By the above comments it can be found in this extension is to check whether or not case-sensitive. The default is open, so the use of mixed case is not bypassed.

Then some developers don't know Apache can also handle some file extension

1, PHP. 1
2, PHP.;

Etc file. The next use is very simple.

Upload files name: ext_bypass. php. 1

The following environmental testing:

Sucessfully Tested on: Bitnami wampstack-5.6.29-0.
Server version: Apache/2.4.23 (Win64)

Sucessfully Tested on: XAMPP for Linux 5.6.8-0
Server version: Apache/2.4.12 (Unix)