Source: PSIRT-CNA@flexerasoftware.com
Unrestricted file upload vulnerability in The Address Book 1.04e validates the Content-Type header but not the file extension, which allows remote attackers to upload arbitrary PHP scripts.
The Address Book 1.04e suffers from a critical vulnerability allowing for arbitrary code execution. Attackers can exploit an unrestricted file upload flaw by uploading malicious PHP scripts disguised as legitimate files, leading to complete system compromise and potential data breaches.
Step 1: Payload Creation: The attacker crafts a malicious PHP script containing the desired payload (e.g., a web shell, reverse shell, or code to exfiltrate data).
Step 2: File Disguise: The attacker renames the PHP script, giving it a seemingly harmless extension like .jpg or .png to bypass initial checks.
Step 3: File Upload: The attacker uses the vulnerable file upload functionality in The Address Book 1.04e to upload the disguised PHP script.
Step 4: Content-Type Spoofing (Optional): While the vulnerability description states Content-Type is validated, an attacker might still attempt to spoof the Content-Type header to further obfuscate the upload.
Step 5: File Access: The attacker accesses the uploaded file via a web request, triggering the server to execute the PHP code.
Step 6: Code Execution: The server's PHP interpreter executes the malicious script, granting the attacker control over the server.
The vulnerability stems from insufficient input validation. The application checks the Content-Type header during file upload but fails to validate the file extension. This allows attackers to bypass security measures by uploading PHP scripts with misleading extensions (e.g., .jpg, .png). The server then processes the uploaded file, executing the malicious PHP code when the file is accessed via a web request. The root cause is a lack of proper input validation and sanitization of uploaded files, specifically the file extension. This oversight allows for remote code execution (RCE).
While no specific APTs are directly linked to this CVE, the nature of the vulnerability makes it attractive to various threat actors. It could be used by any attacker seeking to gain initial access or escalate privileges. The age of the software makes it less likely to be a target for sophisticated APTs, but it could be used by less sophisticated actors or as part of a larger attack chain. Not listed on CISA KEV due to its age and the likely lack of widespread usage of the vulnerable software.
Monitor web server logs for suspicious file uploads, especially those with unusual extensions or file names.
Analyze web server access logs for requests to uploaded files, particularly those with unexpected extensions.
Implement file integrity monitoring to detect unauthorized file modifications.
Network Intrusion Detection Systems (IDS) can be configured to detect suspicious HTTP requests containing PHP code or attempts to access uploaded files.
Examine the file system for the presence of unexpected PHP files in the upload directory.
Upgrade/Patch: The primary remediation is to upgrade to a patched version of The Address Book or, preferably, migrate to a more secure and actively maintained application. Since the software is old, patching is unlikely. Consider complete removal.
Input Validation: Implement robust input validation on the server-side to verify both the file extension and the file content. Ensure that only allowed file types are permitted.
Content-Type Validation: Strengthen Content-Type validation to ensure it aligns with the file extension and content.
File Storage: Store uploaded files outside of the webroot to prevent direct execution.
File Execution Prevention: Configure the web server to prevent execution of scripts in the upload directory (e.g., using .htaccess files or server configuration).
Regular Security Audits: Conduct regular security audits and penetration testing to identify and address vulnerabilities.