[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

appRain CMF <= 0.1.5 (uploadify.php) Unrestricted File Upload Vulnerability



---------------------------------------------------------------------------
appRain CMF <= 0.1.5 (uploadify.php) Unrestricted File Upload Vulnerability
---------------------------------------------------------------------------

author............: Egidio Romano aka EgiX
mail..............: n0b0d13s[at]gmail[dot]com
software link.....: http://www.apprain.com/
 

[-] vulnerable code in /webroot/addons/uploadify/uploadify.php

27.    if (!empty($_FILES)) {
28.            $tempFile = $_FILES['Filedata']['tmp_name'];
29.            //$targetPath = $_SERVER['DOCUMENT_ROOT'] . $_REQUEST['folder'] . '/';
30.            $targetFile =  "uploads/" . $_FILES['Filedata']['name'];
31.            
32.            // $fileTypes  = str_replace('*.','',$_REQUEST['fileext']);
33.            // $fileTypes  = str_replace(';','|',$fileTypes);
34.            // $typesArray = split('\|',$fileTypes);
35.            // $fileParts  = pathinfo($_FILES['Filedata']['name']);
36.            
37.            // if (in_array($fileParts['extension'],$typesArray)) {
38.                    // Uncomment the following line if you want to make the directory if it doesn't exist
39.                    // mkdir(str_replace('//','/',$targetPath), 0755, true);
40.                    
41.                    move_uploaded_file($tempFile,$targetFile);
42.                    echo str_replace($_SERVER['DOCUMENT_ROOT'],'',$targetFile);
43.            // } else {
44.            //      echo 'Invalid file type.';
45.            // }
46.    }

Restricted access to  this script isn't properly realized,  so an attacker might  be able to upload
arbitrary files containing malicious PHP code due to uploaded file extension isn't properly checked.


[-] Possible bug fix:

include_once('../../../app.php');
App::__Obj('appRain_Base_Core')->check_admin_login(); 

add this lines of code at the beginning of the script


[-] Disclosure timeline:

[19/12/2011] - Vulnerability discovered
[19/12/2011] - Issue reported to http://www.apprain.com/ticket/1135
[20/12/2011] - Vendor response and fix suggested 
[16/01/2012] - After four weeks still no fix released
[19/01/2012] - Public disclosure


[-] Proof of concept:

http://www.exploit-db.com/exploits/18392/