PHP-Fusion 9.03.50 Arbitrary File Upload

2020-04-29 / 2020-04-28
Credit: Besim Altinok
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-264

# Exploit Title: PHP-Fusion 9.03.50 - 'Edit Profile' Arbitrary File Upload # Date: 2020-04-24 # Author: Besim ALTINOK # Vendor Homepage: https://www.php-fusion.co.uk/home.php # Software Link: https://sourceforge.net/projects/php-fusion/files/PHP-Fusion%20Archives/9.x/PHP-Fusion%209.03.50.zip/download # Version: v9.03.50 # Tested on: Xampp # Credit: ─░smail BOZKURT and AkkuS ------------------------------------------------------------------------------------------------- Description --- - This system does not check the file extension when user upload photo for avatar :). So you can upload PHP file like: Content of the file -- Sample PHP code: <? phpinfo(); ?> Name of the file: --- Sample PHP File name: tester.php - When you want to try to upload the image to the avatar, just, try to change the file name and content. ---------------------------------------------------------------------------------------- Vulnerable code section in the UserFieldsInput.inc ---------------------------------------------------------- private function _setUserAvatar() { if (isset($_POST['delAvatar'])) { if ($this->userData['user_avatar'] != "" && file_exists(IMAGES."avatars/".$this->userData['user_avatar']) && is_file(IMAGES."avatars/".$this->userData['user_avatar'])) { unlink(IMAGES."avatars/".$this->userData['user_avatar']); } $this->data['user_avatar'] = ''; } if (isset($_FILES['user_avatar']) && $_FILES['user_avatar']['name']) { // uploaded avatar if (!empty($_FILES['user_avatar']) && is_uploaded_file($_FILES['user_avatar']['tmp_name'])) { $upload = form_sanitizer($_FILES['user_avatar'], '', 'user_avatar'); if (isset($upload['error']) && !$upload['error']) { // ^ maybe use empty($upload['error']) also can but maybe low end php version has problem on empty. $this->data['user_avatar'] = $upload['image_name']; } } } }


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top