View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
19357 | Bug reports | Security | public | 2024-01-18 09:58 | 2024-02-02 16:33 |
Reporter | saimson1 | Assigned To | c_schmitz | ||
Priority | none | Severity | feature | ||
Status | closed | Resolution | no change required | ||
Product Version | 5.6.x | ||||
Summary | 19357: Malecious File Upload. | ||||
Description | The application provides a feature to upload a file by adding them on to the server. I've observed, that the server fails to validate the content, Mime type and double extension of the file. For an instance, i was able to upload double extension file with the php content or any content. | ||||
Steps To Reproduce | Steps to reproduce
Expected result
Actual result
| ||||
Tags | No tags attached. | ||||
Attached Files | |||||
Bug heat | 256 | ||||
Complete LimeSurvey version number (& build) | LimeSurvey Community Edition Version 5.3.32+220817 | ||||
I will donate to the project if issue is resolved | No | ||||
Browser | Firefox, Burpsuite Community Edition | ||||
Database type & version | MYSQL | ||||
Server OS (if known) | Apache | ||||
Webserver software & version (if known) | |||||
PHP Version | PHP | ||||
js and php file are text file … You can add any content on myfile.php.js : it's not interpreted by server … |
|
@ tibor.pacalat and @c_schmitz : i close this one as no change required |
|
If the application allows only jpeg from the front and validates it in same way at the sever. then the sever should validate the content and double extension from the file. and also would like to mention that if this vulnerability got chained with the local file inclusion this can lead to critical remote code execution. so as best security practice developers should implement whitelist of allowed domain and validation the file with their content and header of the file. |
|
js and php file are text file … |
|
Fir feedback : for me : can close it There are NO way to hack servver uploading a file named with sample.pph.txt It's text file |
|
ping @tibor.pacalat too. (space after the @ before) |
|
Additionally, i was able to upload zip files without using any double extension method with having the original content of zip file. Lets say, application is expecting (jpg,jpeg,png) then it should allow these file only who has content,mime type and extension of the same.
Implement the above to fix the issue just don't mark as feedback, the consequences could be dangerous since the prior versions were already vulnerable to file upload with code execution. |
|
And ? Zip file is allowed. Else : what upload part https://github.com/LimeSurvey/LimeSurvey/blob/d757850372c17014267682347341d4524bbafdfb/application/controllers/UploaderController.php#L200 |
|
I am closing this issue, because I agree that there is no vulnerability here. |
|
Date Modified | Username | Field | Change |
---|---|---|---|
2024-01-18 09:58 | saimson1 | New Issue | |
2024-01-18 09:58 | saimson1 | File Added: payload.png | |
2024-01-18 09:58 | saimson1 | File Added: Screenshot_1.png | |
2024-01-18 10:00 | DenisChenu | Note Added: 79207 | |
2024-01-18 10:00 | DenisChenu | Bug heat | 256 => 258 |
2024-01-18 10:01 | DenisChenu | Assigned To | => DenisChenu |
2024-01-18 10:01 | DenisChenu | Status | new => closed |
2024-01-18 10:01 | DenisChenu | Resolution | open => no change required |
2024-01-18 10:01 | DenisChenu | Note Added: 79208 | |
2024-01-18 10:02 | DenisChenu | View Status | private => public |
2024-01-18 10:02 | DenisChenu | Bug heat | 258 => 252 |
2024-01-18 10:23 | saimson1 | Note Added: 79210 | |
2024-01-18 10:23 | saimson1 | Bug heat | 252 => 254 |
2024-01-18 11:42 | DenisChenu | Note Added: 79214 | |
2024-01-18 11:42 | DenisChenu | Assigned To | DenisChenu => c_schmitz |
2024-01-18 11:43 | DenisChenu | Status | closed => feedback |
2024-01-18 11:43 | DenisChenu | Resolution | no change required => reopened |
2024-01-18 11:43 | DenisChenu | Note Added: 79215 | |
2024-01-18 11:45 | DenisChenu | Note Added: 79216 | |
2024-01-19 06:20 | saimson1 | Note Added: 79223 | |
2024-01-19 06:20 | saimson1 | Status | feedback => assigned |
2024-01-19 10:16 | DenisChenu | Note Added: 79225 | |
2024-02-02 16:32 | c_schmitz | Note Added: 79395 | |
2024-02-02 16:32 | c_schmitz | Bug heat | 254 => 256 |
2024-02-02 16:33 | c_schmitz | Status | assigned => resolved |
2024-02-02 16:33 | c_schmitz | Resolution | reopened => no change required |
2024-02-02 16:33 | c_schmitz | Status | resolved => closed |