GLPI 0.85.5 Upload Vulnerability analysis

The vulnerability seen above exp-db, this is the original link: https://www.exploit-db.com/exploits/38407/

But the POC gives a very simple, this is the original description:

"

The application allows users to upgrade their own profiles. The user has
The possibility to add a new photo as attachment.

The photo that he uploads is stored into "glpi_root/files/_pictures/".

This file, for example named "Photo.jpeg", 'll be directly accessible
Through "Http://host/GLPI_ROOT/files/_pictures/XXXX.jpeg", where "XXXX"
is a ID automatically generated by the system and visible in the HTML
Source code.

Besides, the server does not check the extension of the uploaded file,
But only the first bytes within it, which indicates which kind of file is.

Exploiting this flaw, an attacker may upload a tampered JPEG file
Contains PHP code placed at the end of the file, so, just changing
The file extention to '. php ', by default the PHP code would be interpreted!

To trigger this vulnerability it's necessary to a account.

This vulnerability is a combination of both issues:
-Predictable uploaded file names and path
-Upload of any kind of the file, not limited to images

"

Probably means that the uploaded file does not check the suffix, only check the file content of the previous byte, if the decision is legitimate content will be uploaded, the use of the way is in a normal picture file after adding PHP code, and the path is also easy to find.

In order to the cause of the vulnerability know everything attitude, or need to look at the source, the problem is in./inc/user.class.php

The key code is as follows:

1 //Move uploaded file2                   $filename=$this->fields[' ID '];3                   $tmp=Explode(".",$_files[' Picture '] [' Name ']);4                   $extension=Array_pop($tmp);//get the suffix of the original file5                   $picture _path= Glpi_picture_dir. " /$filename.".$extension;//directly stitching the original suffix6Self::d roppicturefiles ($filename.".".$extension);

Also do not know is the developer forgot to deal with the suffix or the matter, it is estimated that the image content can be done two times rendering, so it is the original suffix can not pee malicious attackers, but developers forget?
Anyway, the upload hole is so produced ~ ~

GLPI 0.85.5 Upload Vulnerability analysis