Remote code execution as www-data

[palioxss]

Synopsis

I have discovered multiple remote code execution vulnerabilities in the following files.

register.php
profile.php
admin/edit-user.php
feedback.php

These vulnerabilities would allow an attacker to gain a foothold shell as www-data.

Proof of concept

Exploitation walkthrough can be found here: https://palioxss.com/projects/exploit1.html

Technical summary

/register.php fails to properly handle file extension sanitization, allowing an attacker to upload a php file.

    <script type="text/javascript">

        function validate()
        {
            var extensions = new Array("jpg","jpeg");
            var image_file = document.regform.image.value;
            var image_length = document.regform.image.value.length;
            var pos = image_file.lastIndexOf('.') + 1;
            var ext = image_file.substring(pos, image_length);
            var final_ext = ext.toLowerCase();
            for (i = 0; i < extensions.length; i++)
            {
                if(extensions[i] == final_ext)
                {
                return true;

                }
            }
            alert("Image Extension Not Valid (Use Jpg,jpeg)");
            return false;
        }

The above code is run client-side, so it can be bypassed by editing the request manually.

profile.php, admin/edit-user.php and feedback.php do not implement any form of file sanitization at all. This would allow an attacker to simply click "upload" and select their php file.

[ajayrandhawa]

Thanks for Info, I Know may this code have other vulnerability also, this is school project develop way back, In future try to fix