GLPI 0.85.5 Upload Vulnerability analysis

Source: Internet
Author: User
Tags glpi

The vulnerability seen above exp-db, this is the original link: https://www.exploit-db.com/exploits/38407/

But the POC gives a very simple, this is the original description:

"

The application allows users to upgrade their own profiles. The user has
The possibility to add a new photo as attachment.

The photo that he uploads is stored into "glpi_root/files/_pictures/".

This file, for example named "Photo.jpeg", 'll be directly accessible
Through "Http://host/GLPI_ROOT/files/_pictures/XXXX.jpeg", where "XXXX"
is a ID automatically generated by the system and visible in the HTML
Source code.

Besides, the server does not check the extension of the uploaded file,
But only the first bytes within it, which indicates which kind of file is.

Exploiting this flaw, an attacker may upload a tampered JPEG file
Contains PHP code placed at the end of the file, so, just changing
The file extention to '. php ', by default the PHP code would be interpreted!

To trigger this vulnerability it's necessary to a account.

This vulnerability is a combination of both issues:
-Predictable uploaded file names and path
-Upload of any kind of the file, not limited to images

"

Probably means that the uploaded file does not check the suffix, only check the file content of the previous byte, if the decision is legitimate content will be uploaded, the use of the way is in a normal picture file after adding PHP code, and the path is also easy to find.

In order to the cause of the vulnerability know everything attitude, or need to look at the source, the problem is in./inc/user.class.php

The key code is as follows:

1 //Move uploaded file2                   $filename=$this->fields[' ID '];3                   $tmp=Explode(".",$_files[' Picture '] [' Name ']);4                   $extension=Array_pop($tmp);//get the suffix of the original file5                   $picture _path= Glpi_picture_dir. " /$filename.".$extension;//directly stitching the original suffix6Self::d roppicturefiles ($filename.".".$extension);

Also do not know is the developer forgot to deal with the suffix or the matter, it is estimated that the image content can be done two times rendering, so it is the original suffix can not pee malicious attackers, but developers forget?
Anyway, the upload hole is so produced ~ ~

GLPI 0.85.5 Upload Vulnerability analysis

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.