View Issue Details

This bug affects 1 person(s).
 256
IDProjectCategoryView StatusLast Update
19357Bug reportsSecuritypublic2024-02-02 16:33
Reportersaimson1 Assigned Toc_schmitz  
PrioritynoneSeverityfeature 
Status closedResolutionno change required 
Product Version5.6.x 
Summary19357: Malecious File Upload.
Description

The application provides a feature to upload a file by adding them on to the server.

I've observed, that the server fails to validate the content, Mime type and double extension of the file.

For an instance, i was able to upload double extension file with the php content or any content.

Steps To Reproduce

Steps to reproduce

  1. Logged into the application there's multiple places where we can upload the file.

  2. Click on that and select a file to upload.

Expected result

  1. Since server has no validation at it's end this should allow us to upload any file with any content.

Actual result

  1. After clicking on upload we can see that the file has been successfully uploaded at the server.

  2. However we were not able to execute it to escalate the issue to remote code execution.

TagsNo tags attached.
Attached Files
payload.png (237,490 bytes)
Screenshot_1.png (131,524 bytes)
Bug heat256
Complete LimeSurvey version number (& build) LimeSurvey Community Edition Version 5.3.32+220817
I will donate to the project if issue is resolvedNo
BrowserFirefox, Burpsuite Community Edition
Database type & versionMYSQL
Server OS (if known)Apache
Webserver software & version (if known)
PHP VersionPHP

Users monitoring this issue

There are no users monitoring this issue.

Activities

DenisChenu

DenisChenu

2024-01-18 10:00

developer   ~79207

js and php file are text file …

You can add any content on myfile.php.js : it's not interpreted by server …
Like you show yourself …

DenisChenu

DenisChenu

2024-01-18 10:01

developer   ~79208

@ tibor.pacalat and @c_schmitz : i close this one as no change required

saimson1

saimson1

2024-01-18 10:23

reporter   ~79210

If the application allows only jpeg from the front and validates it in same way at the sever. then the sever should validate the content and double extension from the file. and also would like to mention that if this vulnerability got chained with the local file inclusion this can lead to critical remote code execution. so as best security practice developers should implement whitelist of allowed domain and validation the file with their content and header of the file.
Let's not close this issue by ignoring it.

DenisChenu

DenisChenu

2024-01-18 11:42

developer   ~79214

js and php file are text file …

DenisChenu

DenisChenu

2024-01-18 11:43

developer   ~79215

Fir feedback : for me : can close it

There are NO way to hack servver uploading a file named with sample.pph.txt

It's text file

DenisChenu

DenisChenu

2024-01-18 11:45

developer   ~79216

ping @tibor.pacalat too.

(space after the @ before)

saimson1

saimson1

2024-01-19 06:20

reporter   ~79223

Additionally, i was able to upload zip files without using any double extension method with having the original content of zip file.
Would you still say application is validating at it's best?
The application logic should thoroughly check the content,header, double extension and allowed extension only then the file should to be uploaded on server.

Lets say, application is expecting (jpg,jpeg,png) then it should allow these file only who has content,mime type and extension of the same.

  1. to check double ext just check if the filename string has (jpg,jpeg,png) along with single dot in it otherwise just replace the other dot(.) with underscore() or space.
  2. Implement allowed list of MiMe type (jpeg/png) if the file has other than this do not allow.
  3. Check the file header if the file header is same as allowed file type then only allow.
  4. Thoroughly scan the file content while processing if there is any suspicious content reject the upload.

Implement the above to fix the issue just don't mark as feedback, the consequences could be dangerous since the prior versions were already vulnerable to file upload with code execution.

DenisChenu

DenisChenu

2024-01-19 10:16

developer   ~79225

Additionally, i was able to upload zip files without using any double extension method with having the original content of zip file.

And ? Zip file is allowed.

Else : what upload part https://github.com/LimeSurvey/LimeSurvey/blob/d757850372c17014267682347341d4524bbafdfb/application/controllers/UploaderController.php#L200

c_schmitz

c_schmitz

2024-02-02 16:32

administrator   ~79395

However we were not able to execute it to escalate the issue to remote code execution.

I am closing this issue, because I agree that there is no vulnerability here.

Issue History

Date Modified Username Field Change
2024-01-18 09:58 saimson1 New Issue
2024-01-18 09:58 saimson1 File Added: payload.png
2024-01-18 09:58 saimson1 File Added: Screenshot_1.png
2024-01-18 10:00 DenisChenu Note Added: 79207
2024-01-18 10:00 DenisChenu Bug heat 256 => 258
2024-01-18 10:01 DenisChenu Assigned To => DenisChenu
2024-01-18 10:01 DenisChenu Status new => closed
2024-01-18 10:01 DenisChenu Resolution open => no change required
2024-01-18 10:01 DenisChenu Note Added: 79208
2024-01-18 10:02 DenisChenu View Status private => public
2024-01-18 10:02 DenisChenu Bug heat 258 => 252
2024-01-18 10:23 saimson1 Note Added: 79210
2024-01-18 10:23 saimson1 Bug heat 252 => 254
2024-01-18 11:42 DenisChenu Note Added: 79214
2024-01-18 11:42 DenisChenu Assigned To DenisChenu => c_schmitz
2024-01-18 11:43 DenisChenu Status closed => feedback
2024-01-18 11:43 DenisChenu Resolution no change required => reopened
2024-01-18 11:43 DenisChenu Note Added: 79215
2024-01-18 11:45 DenisChenu Note Added: 79216
2024-01-19 06:20 saimson1 Note Added: 79223
2024-01-19 06:20 saimson1 Status feedback => assigned
2024-01-19 10:16 DenisChenu Note Added: 79225
2024-02-02 16:32 c_schmitz Note Added: 79395
2024-02-02 16:32 c_schmitz Bug heat 254 => 256
2024-02-02 16:33 c_schmitz Status assigned => resolved
2024-02-02 16:33 c_schmitz Resolution reopened => no change required
2024-02-02 16:33 c_schmitz Status resolved => closed