| 标题 | mjperpinosa stumasy 1.0 RCE vulnerability |
|---|
| 描述 | The profile image upload functionality suffers from the same flawed validation logic as the post attachment endpoint. The script attempts to verify the uploaded file by checking if the client‑supplied MIME type **or** the file extension is in a whitelist:
```php
if (in_array($_FILES["type"], allowed_file_type) || in_array($image_extension, allowed_extension))
···
Because an OR condition is used, an attacker can simply forge the Content-Type header to a value like image/png (whitelisted) while keeping a .php extension. The file is then saved to a web‑accessible directory with a randomised name, but the extension remains .php:
```
$image_extension = pathinfo($_FILES["name"], PATHINFO_EXTENSION);
$unique_image_name = rand(...) . "." . $image_extension;
move_uploaded_file(..., "../../../../documents/images/" . $unique_image_name);
The server responds with the generated filename, allowing the attacker to immediately request the uploaded PHP script and achieve remote code execution.
Steps to Reproduce
Create a minimal PHP web shell (e.g., <?php echo 'RCE_OK'; ?>) and save it as avatar.php.
Send a multipart POST request to change_profile_image.php with the file field pr_profile_image, forging the MIME type to image/png.
The server responds with a randomised filename (e.g., 9540896652.php).
Access the file under http://127.0.0.1:3000/documents/images/9540896652.php.
The PHP code executes, proving RCE.
``` |
|---|
| 来源 | ⚠️ https://github.com/mjperpinosa/stumasy/issues/3 |
|---|
| 用户 | j1nk1ng (UID 98141) |
|---|
| 提交 | 2026-05-16 14時58分 (21 日前) |
|---|
| 管理 | 2026-06-04 07時14分 (19 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 368255 [mjperpinosa stumasy change_profile_image.php pr_profile_image 权限提升] |
|---|
| 积分 | 20 |
|---|