Job Links - Complete Job Management Script - Arbitrary File Upload

vendor:

Job Links - Complete Job Management Script

by:

Ihsan Sencan

3,3

CVSS

MEDIUM

Arbitrary File Upload

434

CWE

Product Name: Job Links - Complete Job Management Script

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: WiN7_x64/KaLiLinuX_x64

2017

Job Links – Complete Job Management Script – Arbitrary File Upload

The vulnerability allows an Job Seeker & Employer users upload arbitrary file. The vulnerable source code is located in the profileChange and coverChange functions of the User controller, which do not validate the file type before uploading it to the uploads directory.

Mitigation:

Validate the file type before uploading it to the uploads directory.

Source

Exploit-DB raw data:

# # # # # 
# Exploit Title: Job Links - Complete Job Management Script - Arbitrary File Upload
# Dork: N/A
# Date: 26.09.2017
# Vendor Homepage: http://teamworktec.com/
# Software Link: https://codecanyon.net/item/job-links-complete-job-management-script/20672089
# Demo: http://teamworktec.com/demo/job-links/
# Version: N/A
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# 
# The vulnerability allows an Job Seeker & Employer users upload arbitrary file....
# 
# Vulnerable Source:
# 
#      changes in user profile
#      */
#     public function profileChange(Request $request){
#         $users =  User::find(Auth::id());
#         if (!empty($request->avatar)) {
#             $large_image = public_path('uploads/'.$users->avatar);
#             File::delete($large_image);
#             $file = $request->avatar;
#             $users->avatar  = $file->getClientOriginalName();
#             $users->save();
#             $file->move('uploads', $file->getClientOriginalName());
#             return $request->avatar->getClientOriginalName();
#         } else
#             return $users->avatar;
#     }
# 
#     /*
#      change Cover picture
#      */
#     public function coverChange(Request $request){
#         $users =  User::find(Auth::id());
# 
#         if (!empty($request->cover)) {
#             $large_image = public_path('uploads/'.$users->cover);
#             File::delete($large_image);
#             $file = $request->cover;
#             $users->cover  = $file->getClientOriginalName();
#             $users->save();
#             $file->move('uploads', $file->getClientOriginalName());
#             return $request->cover->getClientOriginalName();
#         } else
#             return $users->cover;
#     }
# 	
# Proof of Concept: 
# 
# http://localhost/[PATH]/profile/[UserName]
# http://localhost/[PATH]/uploads/[FILE]
# 
# Etc..
# # # # #