Photo Fusion - Free Stock Photos Script - Arbitrary File Upload

vendor:

Photo Fusion - Free Stock Photos Script

by:

Ihsan Sencan

7,5

CVSS

HIGH

Arbitrary File Upload

434

CWE

Product Name: Photo Fusion - Free Stock Photos Script

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: WiN7_x64/KaLiLinuX_x64

2017

Photo Fusion – Free Stock Photos Script – Arbitrary File Upload

The vulnerability allows an users upload arbitrary file. The application does not validate the file type and extension of the uploaded file, which can be used to upload malicious files and execute arbitrary code on the server.

Mitigation:

Validate the file type and extension of the uploaded file.

Source

Exploit-DB raw data:

# # # # # 
# Exploit Title: Photo Fusion - Free Stock Photos Script - Arbitrary File Upload
# Dork: N/A
# Date: 26.09.2017
# Vendor Homepage: http://teamworktec.com/
# Software Link: https://codecanyon.net/item/photo-fusion-free-stock-photos-script/20115244
# Demo: http://teamworktec.com/demo/photos-fusion/
# Version: N/A
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# 
# The vulnerability allows an users upload arbitrary file....
# 
# Vulnerable Source:
# 
#     /*Change profile picture*/
#     public function changeAvatar(Request $request){
#         if(Auth::user()){
#             $user = User::find(Auth::id());
#             $user->avatar = $request->picture->getClientOriginalName();
#             $user->save();
#             $file = $request->picture;
#             $file->move('uploads', $file->getClientOriginalName());
#             return $request->picture->getClientOriginalName();
#         }
#         return 'please login to change avatar';
#     }
# 
#     /*Change profile cover*/
#     public function changeCover(Request $request){
#         if(Auth::user()){
#             $user = User::find(Auth::id());
#             $user->cover = $request->cover->getClientOriginalName();
#             $user->save();
#             $file = $request->cover;
#             $file->move('uploads', $file->getClientOriginalName());
#             return $request->cover->getClientOriginalName();
#         }
#         return 'please login to change avatar';
#     }
# 	
# Proof of Concept: 
# 
# http://localhost/[PATH]/
# http://localhost/[PATH]/uploads/[FILE]
# 
# Etc..
# # # # #