In addition, there are other cross site request forgery, SQL injection, and file upload issues. The following are the high level details of the arbitrary file upload vulnerability. The PHP code contains a call to system_get_file which accepts an input parameter named file_upload. An attacker can upload any file to the system_get_file call via a direct request or via a web application that accepts user input. In addition, the system_get_file() function does not verify that the file being uploaded is of a specific type. This makes it possible for an attacker to upload any type of file which can be exploited via an arbitrary script.


The system_get_file() function does not verify that the file being uploaded is of a specific type. This makes it possible for an attacker to upload any type of file which can be exploited via an arbitrary script.


The system_get_file() function does not validate the file path before retrieving the file. This can be exploited via a direct request to the system_get_file() function or via a web application that accepts user input.


The system_get_file() function does not verify that the file path is within the server’s file system. This can be exploited via a direct request to the system_get_file() function or via a web application that accepts user input.


The system_get_file() function does not verify that the user has access to the file

An Example of Arbitrary File Upload Vulnerability

An example of the arbitrary file upload vulnerability if the attacker specified the following in their request:

system_get_file( "../../../etc/passwd" );

How Does Cross Site Request Forgery (CSRF) Vulnerability Work?

If a user is logged in and their session cookie is present, an attacker would have to be on the same domain as the victim before being able to exploit this vulnerability. The attacker would then need to trick the victim into visiting a malicious web page which has a specially crafted HTML form that will cause the attacker’s web application to set values for CSRF tokens. Upon successful exploitation of the vulnerability, any action taken by the victim's browser will be performed by the attacker's website instead of their intended destination.
An example scenario in which CSRF might be exploited:
- The victim visits a malicious website that contains a specially crafted HTML form with values for cookies, HTTP headers, and Flash objects.
- If an attacker successfully exploits this vulnerability, the victim’s browser will submit those values to another site via POST requests.

Browsing to the root folder

The system_get_file() function does not verify the existence of the file. This vulnerability can be exploited by browsing to the root directory in the web browser, or via a direct request to the system_get_file() function.

Browsing to the root folder allows an attacker to upload any type of file which can be exploited via an arbitrary script.
The system_get_file() function does not validate the existence of the file. This vulnerability can be exploited by browsing to the root directory in the web browser, or via a direct request to the system_get_file() function.

Timeline

Published on: 10/18/2022 14:15:00 UTC
Last modified on: 10/19/2022 03:48:00 UTC

References