Unrestricted Upload of File with Dangerous Type in phpGrid (CVE-2017-10665)
Abstract
Unrestricted Upload of File with Dangerous Type in ajaxfileupload.php in Kayson Group Ltd. phpGrid 7.2 and earlier allows remote attackers to execute arbitrary code by posting a malicious file (to ajaxfileupload.php), which is stored in the local File System.
Credit
Andreas Schnederle-Wagner, 28.06.2017
Contact
For feedback or questions about this advisory mail me at schnederle@futureweb.at
Affected Software
phpGrid
Tested versions
7.2, earlier Versions are affected too
CVE ID
CWE ID
Attack Type, Impact
Remote, Code Execution, Denial of Service, Information Disclosure, Path Traversal, access to the Server in Web-Server context
Access Complexity, Authentication
Low, Not required
Fix
Fixed in 7.2.5
Introduction
phpGrid is a PHP CRUD Framework with Ajax File Upload capability. Inadequate Input validation allows an Unrestricted Upload of File with Dangerous Type to the Server File System.
Details
The Unrestricted Upload of File with Dangerous Type vulnerability exists in the file ajaxfileupload.php. The file accepts every File-Payload without any restrictions. As the Folder can be set by GET Request also a Path traversal is possible.
The vulnerable code is shown below.
Figure1: vulnerable code ajaxfileupload.php
Proof of concept
