Headline
CVE-2021-44664: Prohibit path traversal on upload · thexerteproject/xerteonlinetoolkits@6daeb81
An Authenticated Remote Code Exection (RCE) vulnerability exists in Xerte through 3.9 in website_code/php/import/fileupload.php by uploading a maliciously crafted PHP file though the project interface disguised as a language file to bypasses the upload filters. Attackers can manipulate the files destination by abusing path traversal in the ‘mediapath’ variable.
@@ -72,7 +72,7 @@ function sanitizeName($file, &$response)
}
// Check upload path, should contain USER-FILES
if (strpos($_REQUEST[‘uploadURL’], ‘USER-FILES’) === false)
if (strpos($_REQUEST[‘uploadPath’], ‘USER-FILES’) === false || strpos($_REQUEST[‘uploadPath’], ‘…/’) !== false || strpos($_REQUEST[‘uploadURL’], ‘USER-FILES’) === false)
{
// Invalid folder, reject!
$response->uploaded = 0;