Arbitrary File Upload vulnerability from Sourcecodester Zipped Folder Manager App 1.0 (add-folder.php)
Affected Project: Zipped Folder Manager App 1.0
Official Website: https://www.sourcecodester.com/php/17291/zipped-folder-manager-app-using-php-and-mysql-source-code.html
Version: 1.0
Related Code file: add-folder.php
The Zipped Folder Manager App 1.0 has an Arbitrary File Upload vulnerability in its add-folder.php file.
This vulnerability arises because the application does not thoroughly validate the contents of uploaded files, even though it checks that the file extension is .zip. Attackers can exploit this vulnerability to upload malicious files disguised as .zip files, leading to potential execution of arbitrary code on the server.
The script accepts and processes any file uploaded through the form without adequate validation of the file type or content. This lack of proper validation can result in various security vulnerabilities, including:
-
Arbitrary File Upload: Attackers can upload malicious files, such as PHP scripts disguised as images, that can be executed on the server, potentially resulting in remote code execution.
-
Directory Traversal: Because the script does not check for directory traversal attacks, attackers could upload files to unintended directories on the server, which could result in unauthorized access or the overwriting of sensitive files.
-
Denial of Service: Attackers could upload excessively large files, consuming server resources and leading to denial of service.
- File Extension Check Only:
- The add-folder.php script checks the file type based only on the file extension using the pathinfo() function:
$fileType = strtolower(pathinfo($zipFile, PATHINFO_EXTENSION));
if ($fileType != 'zip') {
echo "Only zip files are allowed.";
exit;
}- This check only verifies that the file has a .zip extension. It does not verify the actual contents or structure of the file. As a result, a .zip file could be crafted that contains malicious PHP code or scripts.
- Lack of Content Inspection:
- There is no inspection or validation of the contents of the uploaded .zip file. Attackers can upload a .zip archive containing files like malicious.php. Once extracted or executed on the server, these files can run arbitrary PHP code.
- File Upload Location:
- The file is directly moved to the target directory using the move_uploaded_file() function:
if (move_uploaded_file($_FILES['folder']['tmp_name'], $zipFile)) {
// Insert the folder information into the database
}- This step implies that the file is accessible from the web server if the folders/ directory is within the web root. If the server is configured to execute PHP files in this directory, the attacker can access their malicious code directly via HTTP, resulting in Remote Code Execution (RCE).
- Database Interaction:
- Once the file is uploaded, the script stores information about the file in the database:
$stmt = $conn->prepare("INSERT INTO tbl_folder (zip_file, date_uploaded) VALUES (:zipFile, :dateUploaded)");- While this part does not directly contribute to the vulnerability, it facilitates managing and organizing uploaded files, making it easier for attackers to track and access their malicious uploads.
Below is how Zipped Folder Manager App looks like:
User can add a zipped folder as such:
Let's intercept the traffic when adding a zipped folder using Burp Suite:
Traffic could be modifed to contain any kind of codes since the app doesn't validate the zipped folder content. Here, I have a php code inserted as an example:
After sending the modified traffic, we can confirm the modified zipped folder is uploaded with no issue:
When we download the zipped folder, we can see that zip file has an .zip extension but the content include the modified code untouched:
