PHP Remote File Inclusion in crater-invoice/crater

Valid

Reported on

Dec 3rd 2021


Description

No mime type restriction on file uploads, allowing an attacker to upload and execute arbitrary PHP code.

Proof of Concept

  • Login to the dashboard, preferably using your own localhost install.
  • Go to "Expenses", "Settings > Account" or "Settings > Company".
  • Upload any PHP file you want.

Impact

Allows remote attackers to execute arbitrary PHP code.

References

We are processing your report and will contact the crater-invoice/crater team within 24 hours. 6 months ago
José Aguilera modified the report
6 months ago
José Aguilera submitted a
6 months ago
We have contacted a member of the crater-invoice/crater team and are waiting to hear back 6 months ago
crater-invoice/crater maintainer validated this vulnerability 6 months ago
José Aguilera has been awarded the disclosure bounty
The fix bounty is now up for grabs
José Aguilera
6 months ago

Researcher


Please notice that with the provided patch, or even with the native Laravel MediaPro image validation an attacker could bypass the GIF upload using the GIF89a; header. Make sure that PHP code can't be run inside uploads folder.

Mohit Panjwani confirmed that a fix has been merged on ff3cd0 4 months ago
The fix bounty has been dropped
to join this conversation