Unrestricted Upload of File with Dangerous Type in phpGrid (CVE-2017-10665)
Unrestricted Upload of File with Dangerous Type in ajaxfileupload.php in Kayson Group Ltd. phpGrid 7.2 and earlier allows remote attackers to execute arbitrary code by posting a malicious file (to ajaxfileupload.php), which is stored in the local File System.
Andreas Schnederle-Wagner, 28.06.2017
For feedback or questions about this advisory mail me at firstname.lastname@example.org
7.2, earlier Versions are affected too
Attack Type, Impact
Remote, Code Execution, Denial of Service, Information Disclosure, Path Traversal, access to the Server in Web-Server context
Access Complexity, Authentication
Low, Not required
Fixed in 7.2.5
phpGrid is a PHP CRUD Framework with Ajax File Upload capability. Inadequate Input validation allows an Unrestricted Upload of File with Dangerous Type to the Server File System.
The Unrestricted Upload of File with Dangerous Type vulnerability exists in the file ajaxfileupload.php. The file accepts every File-Payload without any restrictions. As the Folder can be set by GET Request also a Path traversal is possible.
The vulnerable code is shown below.
Figure1: vulnerable code ajaxfileupload.php
Proof of concept