Title: Arbitrary file upload vulnerability in jQuery Upload File v4.0.2 |
Author: Larry W. Cashdollar, @_larry0 |
Date: 2018-11-02 |
CVE-ID:[CVE-2018-9207] |
CWE: CWE-434 arbitrary file upload |
Download Site: http://hayageek.com/docs/jquery-upload-file.php |
Vendor: Hayageek |
Vendor Notified: 2018-11-02 |
Vendor Contact: hayageek@gmail.com |
Advisory: http://www.vapidlabs.com/advisory.php?v=206 |
Description: jQuery Upload File plugin provides Multiple file Uploads with progress bar.Works with any server-side platform (Google App Engine, PHP, Python, Ruby on Rails, Java, etc.) that supports standard HTML form file uploads. |
Vulnerability: The code in https://github.com/hayageek/jquery-upload-file/blob/master/php/upload.php doesn't check for a file type or for requiring any authentication allowing a user to upload an executable file to the /uploads/ directory if it exists.
if(!is_array($_FILES["myfile"]["name"])) //single file
{
$fileName = $_FILES["myfile"]["name"];
move_uploaded_file($_FILES["myfile"]["tmp_name"],$output_dir.$fileName);
$ret[]= $fileName;
}
else //Multiple files, file[]
{
$fileCount = count($_FILES["myfile"]["name"]);
for($i=0; $i < $fileCount; $i++)
{
$fileName = $_FILES["myfile"]["name"][$i];
move_uploaded_file($_FILES["myfile"]["tmp_name"][$i],$output_dir.$fileName);
$ret[]= $fileName;
} |
Export: JSON TEXT XML |
Exploit Code:
|
Screen Shots: |
Notes: |
Larry W. Cashdollar
Larry Cashdollar
Larry W. Cashdollar vulnerability
Larry Cashdollar advisory