Summary
An unsafe deserialization vulnerability allows an authenticated user to cause unexpected behaviours of the application. This includes arbitrary file deletion which affects application availabilities. Possibly it can lead to arbitrary command execution if an adversary can chain gadgets within the application.
Also, if the application allows self registration (enabled by default) an unauthenticated user can exploit this issue by creating a new user account.
Details
ClipBucket-v5 Version 2.0 to Version 5.5.1 Revision 199 are vulnerable to PHP Deserialization vulnerability. The vulnerability exists in upload/photo_upload.php line 11 and line 23 specifically within the decode_key function. User inputs were supplied to this function without sanitisation via collection GET parameter (line 10) and photoIDS POST parameter respectively. The decode_key function invokes PHP unserialize function as defined in upload/includes/classes/photos.class.php at line 2888. As a result, it is possible for an adversary to inject maliciously crafted PHP serialised object and utilise gadget chains to cause unexpected behaviours of the application.
PoC
An adversary can register itself via Sign up feature of the application.
With the valid user session, malicious payloads can be supplied via https://[URL]/photo_upload.php endpoint and its collection GET parameter or photoIDS POST parameter.
As a proof of concept, known gadget chains from PHPGGC can be used to delete arbitrary files.
A sample payload can be generated as shown below:
.
The payload needs to be base64 encoded to be supplied to the collection GET parameter or photoIDS POST parameter, and the final HTTP request is shown below:
- GET Request
.
- POST Request
.
Note that with the POST Request requires an EnterInfo parameter within the body along with the photoIDS parameter
These payloads end up deleting /tmp/toDelete.txt in this case, however the file can be anythings and will be removed as long as the file permissions allowed.
See below for the application trying to delete this file:
.
Impact
If an adversary successfully exploited this issue, it was possible to delete arbitrary files within the file system. An adversary could delete any of the application source files to make the application unusable, or if the application relies on a specific file to restrict access to installer an adversary could initiate application installation and create a new administrative user account. This essentially takes over the application.
Also, if an adversary can identify another gadget chain it would be possible to obtain remote code execution.
0xbko Reporter
Summary
An unsafe deserialization vulnerability allows an authenticated user to cause unexpected behaviours of the application. This includes arbitrary file deletion which affects application availabilities. Possibly it can lead to arbitrary command execution if an adversary can chain gadgets within the application.
Also, if the application allows self registration (enabled by default) an unauthenticated user can exploit this issue by creating a new user account.
Details
ClipBucket-v5 Version 2.0 to Version 5.5.1 Revision 199 are vulnerable to PHP Deserialization vulnerability. The vulnerability exists in upload/photo_upload.php line 11 and line 23 specifically within the
decode_keyfunction. User inputs were supplied to this function without sanitisation viacollectionGET parameter (line 10) andphotoIDSPOST parameter respectively. Thedecode_keyfunction invokes PHPunserializefunction as defined in upload/includes/classes/photos.class.php at line 2888. As a result, it is possible for an adversary to inject maliciously crafted PHP serialised object and utilise gadget chains to cause unexpected behaviours of the application.PoC
An adversary can register itself via Sign up feature of the application.
.
With the valid user session, malicious payloads can be supplied via https://[URL]/photo_upload.php endpoint and its
collectionGET parameter orphotoIDSPOST parameter.As a proof of concept, known gadget chains from PHPGGC can be used to delete arbitrary files.
A sample payload can be generated as shown below:
The payload needs to be base64 encoded to be supplied to the
collectionGET parameter orphotoIDSPOST parameter, and the final HTTP request is shown below:Note that with the POST Request requires an EnterInfo parameter within the body along with the photoIDS parameter
These payloads end up deleting
.
/tmp/toDelete.txtin this case, however the file can be anythings and will be removed as long as the file permissions allowed.See below for the application trying to delete this file:
Impact
If an adversary successfully exploited this issue, it was possible to delete arbitrary files within the file system. An adversary could delete any of the application source files to make the application unusable, or if the application relies on a specific file to restrict access to installer an adversary could initiate application installation and create a new administrative user account. This essentially takes over the application.
Also, if an adversary can identify another gadget chain it would be possible to obtain remote code execution.