A critical vulnerability (CVE-2024-12478) has been discovered in InvoicePlane, a popular open-source invoicing application, affecting versions up to 1.6.1. The vulnerability lies in the upload_file function of the /index.php/upload/upload_file/1/1 file, which allows for unrestricted file uploads. Attackers can remotely exploit this vulnerability, and the exploit is now publicly available. It is highly recommended to upgrade InvoicePlane to version 1.6.2-beta-1 as it addresses this issue. The vendor was contacted in a timely manner and has since released a fixed version of the affected product.

Vulnerability Details

The vulnerability stems from the upload_file function within the /index.php/upload/upload_file/1/1 file. The manipulation of the "file" argument can lead to an unrestricted file upload. Remote attackers can take advantage of this issue to upload malicious files on the target system and gain unauthorized access.

Exploit

The exploit has been publicly disclosed and can potentially be used by malicious individuals. The vulnerability can be exploited remotely by crafting a specially designed request for the affected component.

Here's a snippet of the vulnerable code

function upload_file() {
    $file = $_FILES['file'];
    // ...rest of the code
}

To demonstrate the exploit, an attacker can create an HTTP POST request similar to the following example:

POST /index.php/upload/upload_file/1/1 HTTP/1.1
Host: target
Content-Type: multipart/form-data; boundary=---------------------------65432
Content-Length: [length]

-----------------------------65432
Content-Disposition: form-data; name="file"; filename="malicious_file.php"
Content-Type: application/php

<?php
// Malicious code here
?>
-----------------------------65432--

Original References

- CVE Details
- Github Issue
- Vendor's Security Advisory

Continuously apply patches and updates provided by the vendor.

Kudos to the InvoicePlane team for their quick response and professional handling of the matter. Thanks to the early reporting and effective response, users can apply the necessary measures to safeguard their systems against this critical vulnerability.

Timeline

Published on: 12/16/2024 11:15:04 UTC