| 제목 | mjperpinosa stumasy 1.0 RCE vulnerability |
|---|
| 설명 | The profile image upload functionality suffers from the same flawed validation logic as the post attachment endpoint. The script attempts to verify the uploaded file by checking if the client‑supplied MIME type **or** the file extension is in a whitelist:
```php
if (in_array($_FILES["type"], allowed_file_type) || in_array($image_extension, allowed_extension))
···
Because an OR condition is used, an attacker can simply forge the Content-Type header to a value like image/png (whitelisted) while keeping a .php extension. The file is then saved to a web‑accessible directory with a randomised name, but the extension remains .php:
```
$image_extension = pathinfo($_FILES["name"], PATHINFO_EXTENSION);
$unique_image_name = rand(...) . "." . $image_extension;
move_uploaded_file(..., "../../../../documents/images/" . $unique_image_name);
The server responds with the generated filename, allowing the attacker to immediately request the uploaded PHP script and achieve remote code execution.
Steps to Reproduce
Create a minimal PHP web shell (e.g., <?php echo 'RCE_OK'; ?>) and save it as avatar.php.
Send a multipart POST request to change_profile_image.php with the file field pr_profile_image, forging the MIME type to image/png.
The server responds with a randomised filename (e.g., 9540896652.php).
Access the file under http://127.0.0.1:3000/documents/images/9540896652.php.
The PHP code executes, proving RCE.
``` |
|---|
| 원천 | ⚠️ https://github.com/mjperpinosa/stumasy/issues/3 |
|---|
| 사용자 | j1nk1ng (UID 98141) |
|---|
| 제출 | 2026. 05. 16. PM 02:58 (25 날 ago) |
|---|
| 모더레이션 | 2026. 06. 04. AM 07:14 (19 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 368255 [mjperpinosa stumasy change_profile_image.php pr_profile_image 권한 상승] |
|---|
| 포인트들 | 20 |
|---|