Php Inventory & Invoice Management System - Arbitrary File Upload

vendor:

PHP Inventory and Invoice Management System

by:

Ihsan Sencan

9,8

CVSS

CRITICAL

Arbitrary File Upload

434

CWE

Product Name: PHP Inventory and Invoice Management System

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: YES

Related CWE: CVE-2017-15990

CPE: a:savsofteproducts:php_inventory_and_invoice_management_system

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: WiN7_x64/KaLiLinuX_x64

2017

Php Inventory & Invoice Management System – Arbitrary File Upload

The vulnerability allows an users upload arbitrary file. Vulnerable source code can be found in the text. Proof of concept is provided in the text.

Mitigation:

Restrict access to the upload folder and ensure that the uploaded files are validated before being stored on the server.

Source

Exploit-DB raw data:

# # # # # 
# Exploit Title: Php Inventory & Invoice Management System - Arbitrary File Upload
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: http://savsofteproducts.com/
# Software Link: http://www.phpinventory.com/
# Demo: http://phpinventory.com/phpinventory_demo/ 
# Version: N/A
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-15990
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# 
# The vulnerability allows an users upload arbitrary file....
# 
# Vulnerable Source:
#
# .............1
# if($_FILES['userfile']['name']!=''){	
#	$target = 'images/user_pics/';
#	$targets = $target . basename( $_FILES['userfile']['name']);
#	$docadd=($_FILES['userfile']['name']);
#	if(move_uploaded_file($_FILES['userfile']['tmp_name'], $targets))
#		{
#			$pfilename=$_FILES['userfile']['name'];
#			$filename=time().$pfilename;
#			$new_path=$target.$filename;
#			rename($targets,$new_path);
#		}
#
#}else{
#$filename=$_POST['user_picname'];
#}
# .............2,3,4
# $target = 'images/logo/';
# $target = 'images/product_images/';
# $target = 'images/service_providers/';
# Etc..
# .............
#
# Proof of Concept: 
# 
# http://localhost/[PATH]/index.php/dashboard/edit_myaccountdetail/
# 
# http://localhost/[PATH]/images/user_pics/[...].php
# 
# Etc..
# # # # #