Online Book Store Project v1.0 - Insecure File Upload
Summary
| Name | Online Book Store Project v1.0 - Insecure File Upload |
| Code name | |
| Product | Online Book Store Project |
| Affected versions | Version 1.0 |
| State | Public |
| Release date | 2023-09-28 |
Vulnerability
| Kind | Insecure File Upload |
| Rule | |
| Remote | Yes |
| CVSSv3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
| CVSSv3.1 Base Score | 9.1 |
| Exploit available | Yes |
| CVE ID(s) |
Description
Online Book Store Project v1.0 is vulnerable to an Insecure File Upload vulnerability on the 'image' parameter of admin_edit.php page, allowing an authenticated attacker to obtain Remote Code Execution on the server hosting the application.
Vulnerability
The 'image' parameter of the admin_edit.php resource does not validate the contents, extension and type of the file uploaded as a book image, leading to an arbitrary file upload which can be abused to obtain Remote Code Execution. The vulnerable code is located at edit_book.php:
if(isset($_FILES['image']) && $_FILES['image']['name'] != ""){
$image = $_FILES['image']['name'];
$directory_self = str_replace(basename($_SERVER['PHP_SELF']), '', $_SERVER['PHP_SELF']);
$uploadDirectory = $_SERVER['DOCUMENT_ROOT'] . $directory_self . "bootstrap/img/";
$uploadDirectory .= $image;
move_uploaded_file($_FILES['image']['tmp_name'], $uploadDirectory);
}
Evidence of exploitation
Our security policy
We have reserved the ID CVE-2023-43740 to refer to this issue from now on.
System Information
- Version: Online Book Store Project v1.0
- Operating System: Any
Mitigation
There is currently no patch available for this vulnerability.
Credits
The vulnerability was discovered by Andres Roldan from Fluid Attacks' Offensive Team.
References
Vendor page https://projectworlds.in/
Timeline
2023-09-21
Vulnerability discovered.
2023-09-21
Vendor contacted.
2023-09-28
Public Disclosure.
