A team of researchers from South Korea found 30 vulnerabilities in file upload mechanisms of 23 web applications ( 1 , 2 ). Among them are popular open source solutions, forums, CMS and so on. In fact, such vulnerabilities allow hackers to use file upload forms to host a wide variety of malicious files on victims’ websites.
To conduct this study, experts developed their own tool for automatic pentest, called FUSE. It is designed to identify vulnerabilities such as UFU (unrestricted executable file upload) and UEFU (unrestricted executable file upload, “unlimited download of executable files”) in PHP applications.
Before creating FUSE, researchers examined previously discovered file upload errors and identified eight of the most common patterns and methods for operating them. As a result, the tool contains the eight mentioned patterns, as well as five new variations developed by the research team itself.
Since the analysis was carried out a year ago, in February 2019, many web applications marked as vulnerable in the table have already received updates. However, researchers write that over the course of a year, not all projects fixed the problems found, and some may still be vulnerable. Product names (with or without corrections) have not yet been disclosed to prevent attacks on web applications that have not yet released patches.
“We reported all 30 UEFU vulnerabilities to the respective vendors and received 15 CVEs for 9 applications. 8 vulnerabilities in products of 5 providers have already been fixed. Another 5 vulnerabilities in the products of 4 suppliers, including WordPress, have been confirmed by developers and will be fixed. Confirmations from the respective vendors expect 15 errors. Two suppliers refused to fix the vulnerabilities found, ”the researchers write.
Many errors have not yet been fixed and are not in the priority of developers for the simple reason that 14 out of 30 vulnerabilities found require administrative access to operate, and a hacker with administrator rights can, in any case, establish full control over a vulnerable server.