PHP Remote File Inclusion in crater-invoice/crater

Valid

Reported on

Dec 3rd 2021

Description

No mime type restriction on file uploads, allowing an attacker to upload and execute arbitrary PHP code.

Proof of Concept

  • Login to the dashboard, preferably using your own localhost install.
  • Go to "Expenses", "Settings > Account" or "Settings > Company".
  • Upload any PHP file you want.

Impact

Allows remote attackers to execute arbitrary PHP code.

References

We are processing your report and will contact the crater-invoice/crater team within 24 hours. a year ago
José Aguilera modified the report
a year ago
José Aguilera submitted a
patch
a year ago
We have contacted a member of the crater-invoice/crater team and are waiting to hear back a year ago
crater-invoice/crater maintainer validated this vulnerability a year ago
José Aguilera has been awarded the disclosure bounty
The fix bounty is now up for grabs
José Aguilera
a year ago

Researcher

Please notice that with the provided patch, or even with the native Laravel MediaPro image validation an attacker could bypass the GIF upload using the GIF89a; header. Make sure that PHP code can't be run inside uploads folder.

Mohit Panjwani marked this as fixed in 6.0.4 with commit ff3cd0 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation