| Title: Arbitrary File Upload File Upload Vulnerability in php-traditional-server v1.2.2 |
| Author: Larry W. Cashdollar, @_larry0 |
| Date: 2018-11-15 |
| CVE-ID:[CVE-2018-9209] |
| CWE: CWE-434 Arbitrary File Upload |
| Download Site: https://web.archive.org/web/20180611151421/https://github.com/FineUploader/php-traditional-server |
| Vendor: FineUploader |
| Vendor Notified: 2018-11-15 |
| Vendor Contact: https://twitter.com/_larry0/status/1063988508786925568 |
| Advisory: http://www.vapidlabs.com/advisory.php?v=208 |
| Description: PHP-based server-side example for handling traditional endpoint requests from Fine Uploader |
| Vulnerability: The code in endpoint.php allows file uploads and doesn't check if the users authenticated or the file type. This allows for executable files to be uploaded and therefore remote code execution.
Lines 37-38 from endpoint.php:
37: // Specify the list of valid extensions, ex. array("jpeg", "xml", "bmp")
38: $uploader->allowedExtensions = array(); // all files types allowed by default
|
| Export: JSON TEXT XML |
Exploit Code:
|
| Screen Shots: |
Notes: Author deleted his software repository instead. |
Larry W. Cashdollar
Larry Cashdollar
Larry W. Cashdollar vulnerability
Larry Cashdollar advisory