Support Mail Telefon Webmail
Support Mail Telefon Webmail

Unrestricted Upload of File with Dangerous Type in phpGrid (CVE-2017-10665)

Abstract

Unrestricted Upload of File with Dangerous Type in ajaxfileupload.php in Kayson Group Ltd. phpGrid 7.2 and earlier allows remote attackers to execute arbitrary code by posting a malicious file (to ajaxfileupload.php), which is stored in the local File System.

Credit

Andreas Schnederle-Wagner, 28.06.2017

Contact

For feedback or questions about this advisory mail me at schnederle@futureweb.at

Affected Software

phpGrid

Tested versions

7.2, earlier Versions are affected too

CVE ID

CVE-2017-10665

CWE ID

CWE-434

Attack Type, Impact

Remote, Code Execution, Denial of Service, Information Disclosure, Path Traversal, access to the Server in Web-Server context

Access Complexity, Authentication

Low, Not required

Fix

Fixed in 7.2.5

Introduction

phpGrid is a PHP CRUD Framework with Ajax File Upload capability. Inadequate Input validation allows an Unrestricted Upload of File with Dangerous Type to the Server File System.

Details

The Unrestricted Upload of File with Dangerous Type vulnerability exists in the file ajaxfileupload.php. The file accepts every File-Payload without any restrictions. As the Folder can be set by GET Request also a Path traversal is possible.
The vulnerable code is shown below.

Figure1: vulnerable code ajaxfileupload.php

Proof of concept

 

 
Standort
Innsbrucker Str. 4
6380 St. Johann in Tirol
Österreich
Kontakt
Tel.: 05352 65335
Email: info@futureweb.at
Web: www.futureweb.at