search

LPology / Simple-Ajax-Uploader

Javascript file upload plugin with progress bar support. Works in all major browsers, including IE7+, Chrome, Firefox, Safari, and Opera. No dependencies - use it with or without jQuery.
995 stars 267 forks source link

Relative path security issue #91

Closed nickgardos closed 9 years ago

nickgardos commented 9 years ago

Hello,

I am using simple-ajax-uploader for a big project and as usual before I push 3rd party code on production I inspect the code. Sadly I found a big security issue with this one...

A user is able to upload a file using the XHR uploader and set a filename of this type: ../../test.txt All you have to do is to open your browser dev tools and go to the network tab. First upload the test.txt as you would normaly do, and after the upload finishes, click on the logged connection and select Edit and resend. Then, simply change the filename to something like this: ../../test.txt. From my tests the file will be not saved in the upload dir but 2 directories up (or wherever you point it).

To fix this security hole just replace line 93 on Uploader.php with the following:

$this->fileName = str_replace(array('/','\\'),'_',$this->handler->getFileName());
nickgardos commented 9 years ago

Version 2 is also vulnerable. All you have to do is edit the X-File-Name header to something like this: ../../test.txt

To fix v.2 simple add after line 69:

$this->fileName = str_replace(array('/','\\'),'_',$this->fileName);
LPology commented 9 years ago

Nice catch. Just merged your pull request.