Unrestricted Upload of File with Dangerous Type in dmpop/mejiro

Valid

Reported on

Sep 14th 2021


Description

Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish this.

https://github.com/dmpop/mejiro is vulnerable to command injection as shown below:

Proof of Concept

Resource: upload.php Variable: $_FILES Snippet:

<?php
    if (isset($_POST['submit'])) {
        // count total files
        $countfiles = count($_FILES['file']['name']);
        // looping all files
        for ($i = 0; $i < $countfiles; $i++) {
            $filename = $_FILES['file']['name'][$i];
            // upload file
            move_uploaded_file($_FILES['file']['tmp_name'][$i], $upload_dir . DIRECTORY_SEPARATOR . $filename);
        }
    }
?>

Payload

  1. Create a file called info.php with the following content:
<?php
    phpinfo();
?>
  1. Go to http://localhost/mejiro-main/upload.php select info.php
  2. Clic upload
  3. Go to http://localhost/mejiro-main/photos/info.php and observe phpinfo is executed.

Impact

The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system or database, forwarding attacks to back-end systems, client-side attacks, or simple defacement. It depends on what the application does with the uploaded file and especially where it is stored.

We created a GitHub Issue asking the maintainers to create a SECURITY.md 3 months ago
We have contacted a member of the dmpop/mejiro team and are waiting to hear back 2 months ago
Dmitri Popov validated this vulnerability 2 months ago
hitisec has been awarded the disclosure bounty
The fix bounty is now up for grabs
Dmitri Popov confirmed that a fix has been merged on 23429b 2 months ago
Dmitri Popov has been awarded the fix bounty