jQuery Uploadify 2.1.0 - Arbitrary File Upload

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1059064 漏洞类型
发布时间 2010-01-21 更新时间 2010-01-21
CVE编号 N/A CNNVD-ID N/A
漏洞平台 Multiple CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/11218
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
# Exploit Title: jQuery uploadify v2.1.0 Remote File Upload
# Date: 21/01/2010
# Author: k4cp3r/Ablus
# Version: v2.1.0



(uploadify.swf) Actionscript:

function setAllowedTypes():void {
	allowedTypes = [];
	if (param.fileDesc && param.fileExt) {
		var fileDescs:Array = param.fileDesc.split('|');
		var fileExts:Array = param.fileExt.split('|');
		for (var n = 0; n < fileDescs.length; n++) {
			allowedTypes.push(new FileFilter(fileDescs[n], fileExts[n]));
		}
	}
}
setAllowedTypes();

The FileFilter class is used to indicate what files on the user's system are shown in the file-browsing dialog box that is displayed when the FileReference.browse() method; a user can simply bypass this filter by writing the malicious file name and path on the file browser dialog box rather than navigating and choosing it.

Exploit:

#1 : upload your file ie (shell.php)
#2 : Retreive the 'folder' parameter passed to uploadify jquery function
	 from the head of the page source code ie('folder': 'files/',)
#3 : Navigate to your file ie(http://site/files/shell.php)

Fix:

A quick fix is to validate your file type inside uploadify.php before saving it
OR to randomize your file names :)


Greetz to all Al Akhawayn friends