Image: KAIST
Through the use of an automated testing toolkit, a team of South Korean academics has discovered 30 vulnerabilities in the file upload mechanisms used by 23 open-source web applications, forums, store builders, and content management systems (CMSes).
When present in real-world web apps, these types of vulnerabilities allow hackers to exploit file upload forms and plant malicious files on a victim’s servers.
These files could be used to execute code on a website, weaken existing security settings, or function as backdoors, allowing hackers full control over a server.
Academics built their own testing tool
All the file-uploading vulnerabilities were discovered using FUSE, a new automated penetration testing tool created to uncover UFU (unrestricted file upload) and UEFU (unrestricted executable file upload) vulnerabilities in PHP applications.
The research team said that prior to building FUSE they analyzed past file upload bugs and identified the eight most common exploitation patterns and techniques.
FUSE consists of these eight patterns, along with five new variations devised by the research team (see M5, M7, M9, M10, and M13 in the table below).
Image: Lee et al.
After they built FUSE, the research team said they selected the 33 most popular web apps, including the likes of forums, CMSs, enterprise products, and online store builders.
The research team, which consisted of academics from the Korea Advanced Institute of Science and Technology Constitution (KAIST) and the Electronics and Telecommunications Research Institute (ETRI), said they individually tested FUSE against the latest versions of those web apps (at the time of the tests, in February 2019).
Using a series of automated requests, the researchers exploited file upload mechanisms in the 33 web apps in an attempt to plant various types of malicious files (PHP, JS, HTML, XHTML, htaccess) inside one of the tested web apps.
KAIST and ETRI researchers said the tests unearthed 30 file upload bugs impacting 23 of the 33 applications they tested.
Image: Lee et al.
Not all bugs have been patched.
The tests took place in February 2019, and the table may contain web apps that have received updates during the past year. However, KAIST and ETRI researchers said that not all projects have patched the bugs they found, and some of the projects highlighted in yellow above may still contain one or more file upload bugs.
“We reported all the 30 UEFU vulnerabilities to the corresponding vendors and obtained 15 CVEs from nine applications,” the research team said.
“Eight vulnerabilities from five vendors have been patched. Five vulnerabilities from four vendors, including WordPress, confirmed that they would address the reported vulnerabilities,” researchers added.
“15 bugs are awaiting confirmation from the corresponding vendors. Two vendors declined to patch the reported bugs.”
As the researchers explain, a reason why some vendors didn’t prioritize patches — or downright refused to patch — was because 14 of the 30 bugs required admin access to exploit, a criteria that many projects don’t consider to be a risk since a hacker with admin access can hijack a server through legitimate CMS features anyway.
But while KAIST and ETRI researchers listed the web apps that contained bugs, they didn’t list which projects patched and which did not — in an attempt to prevent attacks against web apps that did not ship a patch yet.
Additional details, including the testing methodology, are available in the research team’s white paper named “FUSE: Finding File Upload Bugs via Penetration Testing,” and available for download in PDF format from here and here.