Authenticated users can craft a POST request to delete any file on the webserver

Summary

A carefully crafted POST request to post.php allows authenticated users (accountants, technicians, and administrators) to delete any file on the server that www-data has permission to delete.

Details

The vulnerable code is here:

itflow/post.php

Lines 2731 to 2771 in 51ee479

    
           if(isset($_POST['edit_expense'])){ 
        
               require_once('models/expense.php'); 
        
               $expense_id = intval($_POST['expense_id']); 
        
               $existing_file_name = sanitizeInput($_POST['existing_file_name']); 
        
               // Check for and process attachment 
        
               $extended_alert_description = ''; 
        
               if ($_FILES['file']['tmp_name'] != '') { 
        
                   if ($new_file_name = checkFileUpload($_FILES['file'], array('jpg', 'jpeg', 'gif', 'png', 'pdf'))) { 
        
                       $file_tmp_path = $_FILES['file']['tmp_name']; 
        
                       // directory in which the uploaded file will be moved 
        
                       $upload_file_dir = "uploads/expenses/"; 
        
                       $dest_path = $upload_file_dir . $new_file_name; 
        
                       move_uploaded_file($file_tmp_path, $dest_path); 
        
                       //Delete old file 
        
                       unlink("uploads/expenses/$existing_file_name"); 
        
                       mysqli_query($mysqli,"UPDATE expenses SET expense_receipt = '$new_file_name' WHERE expense_id = $expense_id"); 
        
                       $extended_alert_description = '. File successfully uploaded.'; 
        
                   } else { 
        
                       $_SESSION['alert_type'] = "error"; 
        
                       $extended_alert_description = '. Error uploading file. Check upload directory is writable/correct file type/size'; 
        
                   } 
        
               } 
        
               mysqli_query($mysqli,"UPDATE expenses SET expense_date = '$date', expense_amount = $amount, expense_account_id = $account, expense_vendor_id = $vendor, expense_client_id = $client, expense_category_id = $category, expense_description = '$description', expense_reference = '$reference' WHERE expense_id = $expense_id"); 
        
               $_SESSION['alert_message'] = "Expense modified" . $extended_alert_description; 
        
               //Logging 
        
               mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Expense', log_action = 'Modify', log_description = '$description', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id"); 
        
               header("Location: " . $_SERVER["HTTP_REFERER"]); 
        
           }

The cause of the vulnerability stems from the variable $existing_file_name never being verified to be the legitimate previous file name before it is unlinked.

This allows an attacker to take advantage of path traversal and unlink any file they want to -- provided that the webserver user has the permission to do so.

For example, this is form-data that would delete the login page: existing_file_name=../../login.php.

Impact

This vulnerability has the following impact:

Loss of availability
Catastrophic consequences if the webserver administrator is lazy and has www-data in the sudoers file
https://demo.itflow.org/ could potentially be taken down along with any other websites in the web directory
Security breach in division of account roles (for example, the Expenses page and expenses-related functions should not be available to technicians)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Authenticated users can craft a POST request to delete any file on the webserver

Package

Affected versions

Patched versions

Description

Summary

Details

Impact

Severity

CVSS overall score

CVSS v3 base metrics

CVSS v3 base metrics

CVE ID

Weaknesses

Credits

	if(isset($_POST['edit_expense'])){

	require_once('models/expense.php');

	$expense_id = intval($_POST['expense_id']);
	$existing_file_name = sanitizeInput($_POST['existing_file_name']);


	// Check for and process attachment
	$extended_alert_description = '';
	if ($_FILES['file']['tmp_name'] != '') {
	if ($new_file_name = checkFileUpload($_FILES['file'], array('jpg', 'jpeg', 'gif', 'png', 'pdf'))) {

	$file_tmp_path = $_FILES['file']['tmp_name'];

	// directory in which the uploaded file will be moved
	$upload_file_dir = "uploads/expenses/";
	$dest_path = $upload_file_dir . $new_file_name;
	move_uploaded_file($file_tmp_path, $dest_path);

	//Delete old file
	unlink("uploads/expenses/$existing_file_name");

	mysqli_query($mysqli,"UPDATE expenses SET expense_receipt = '$new_file_name' WHERE expense_id = $expense_id");
	$extended_alert_description = '. File successfully uploaded.';
	} else {
	$_SESSION['alert_type'] = "error";
	$extended_alert_description = '. Error uploading file. Check upload directory is writable/correct file type/size';
	}
	}

	mysqli_query($mysqli,"UPDATE expenses SET expense_date = '$date', expense_amount = $amount, expense_account_id = $account, expense_vendor_id = $vendor, expense_client_id = $client, expense_category_id = $category, expense_description = '$description', expense_reference = '$reference' WHERE expense_id = $expense_id");

	$_SESSION['alert_message'] = "Expense modified" . $extended_alert_description;

	//Logging
	mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Expense', log_action = 'Modify', log_description = '$description', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");

	header("Location: " . $_SERVER["HTTP_REFERER"]);

	}