Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
Unrestricted file upload vulnerability in ofc_upload_image.php - Vulnerability Database

Unrestricted file upload vulnerability in ofc_upload_image.php

Description

The ofc_upload_image.php file in Open Flash Chart v2 (Beta 1 through Lug Wyrm Charmer) contains an unrestricted file upload vulnerability that allows attackers to upload and execute malicious files on the server. When register_globals is enabled, the vulnerability can be exploited by manipulating the 'name' parameter to specify a file with an executable extension (such as .php) while placing malicious code in the HTTP_RAW_POST_DATA parameter. The uploaded file is stored in the tmp-upload-images/ directory and can be directly accessed to execute the attacker's code. This vulnerability affects multiple products including Piwik 0.2.35 through 0.4.3 and Woopra Analytics Plugin versions prior to 1.4.3.2.

Remediation

Immediately take the following steps to remediate this vulnerability:

1. Remove the vulnerable file: Delete ofc_upload_image.php from your web server if the upload functionality is not required for your application.

2. Apply vendor patches: Upgrade to a patched version of Open Flash Chart or apply security patches provided by the vendor. For affected products, upgrade Piwik to version 0.4.4 or later, and Woopra Analytics Plugin to version 1.4.3.2 or later.

3. Disable register_globals: Ensure register_globals is disabled in your PHP configuration (php.ini), as this deprecated feature is disabled by default in PHP 5.4.0 and later.

4. Implement file upload restrictions: If you must retain upload functionality, implement strict validation including:

// Whitelist allowed file extensions
$allowed_extensions = array('jpg', 'jpeg', 'png', 'gif');
$file_extension = strtolower(pathinfo($filename, PATHINFO_EXTENSION));
if (!in_array($file_extension, $allowed_extensions)) {
    die('Invalid file type');
}

// Validate MIME type
$finfo = finfo_open(FILEINFO_MIME_TYPE);
$mime_type = finfo_file($finfo, $tmp_file);
if (!in_array($mime_type, array('image/jpeg', 'image/png', 'image/gif'))) {
    die('Invalid file content');
}

// Store files outside web root or block script execution
// Use .htaccess to prevent execution in upload directory

5. Scan for compromise: Check the tmp-upload-images/ directory and server logs for any suspicious files or unauthorized access that may indicate prior exploitation.

References

CVE-2009-4140

Related Vulnerabilities

Cross-site Scripting via File Upload High
Common tags: Abuse Of Functionality Arbitrary File Creation
Multiple vulnerabilities reported in Parallels Plesk Sitebuilder High
Common tags: Abuse Of Functionality Arbitrary File Creation
File upload XSS (Java applet) High
Common tags: Abuse Of Functionality Arbitrary File Creation
Unrestricted File Upload High
Common tags: Abuse Of Functionality Arbitrary File Creation
webadmin.php script High
Common tags: Abuse Of Functionality Arbitrary File Creation

Severity

High

Classification

CVE-2009-4140
CWE-434
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Tags

Abuse Of Functionality
Arbitrary File Creation