Impact
This vulnerability allows users with access to file uploads to execute arbitrary code.
Patches
This vulnerability has preventions in place in the latest code. It is still possible to exploit if the environment is configured outside of the recommended way, with the web server configuration not preventing execution, and the Phproject file type blacklist being altered or disabled.
Workarounds
For users not able to update to Phproject 1.7.8, it is recommended to disallow PHP execution from the upload directory. On Apache, this can be done by creating a new .htaccess file in the uploads directory:
For nginx, add a regex location block for /uploads to your Phproject server block. This will be the last block evaluated for the match, preventing PHP code execution:
location ~ ^/uploads/ {
deny all;
}References
For more information
If you have any questions or comments about this advisory:
This exploit worked by uploading a .php file to an issue and determining its path from the webroot via the date and unix timestamp (which could take a few attempts if the server is out of sync, but is fairly trivial). The files were not meant to be directly accessible, as the application proxies access to them in all of the app-generated URLs, but the files are stored in a web accessible directory by default.
@niebardzo found this issue, demonstrated it on the demo environment, and disclosed the issue according to our policy.
niebardzo Analyst
Impact
This vulnerability allows users with access to file uploads to execute arbitrary code.
Patches
This vulnerability has preventions in place in the latest code. It is still possible to exploit if the environment is configured outside of the recommended way, with the web server configuration not preventing execution, and the Phproject file type blacklist being altered or disabled.
Workarounds
For users not able to update to Phproject 1.7.8, it is recommended to disallow PHP execution from the upload directory. On Apache, this can be done by creating a new
.htaccessfile in theuploadsdirectory:Deny from allFor nginx, add a regex location block for
/uploadsto your Phprojectserverblock. This will be the last block evaluated for the match, preventing PHP code execution:References
For more information
If you have any questions or comments about this advisory:
This exploit worked by uploading a .php file to an issue and determining its path from the webroot via the date and unix timestamp (which could take a few attempts if the server is out of sync, but is fairly trivial). The files were not meant to be directly accessible, as the application proxies access to them in all of the app-generated URLs, but the files are stored in a web accessible directory by default.
@niebardzo found this issue, demonstrated it on the demo environment, and disclosed the issue according to our policy.