{"id":98,"date":"2022-10-20T01:42:03","date_gmt":"2022-10-20T01:42:03","guid":{"rendered":"https:\/\/ryancv-demo.bslthemes.com\/?p=98"},"modified":"2022-10-20T08:03:02","modified_gmt":"2022-10-20T08:03:02","slug":"bypassing-default-laravel-upload-validation","status":"publish","type":"post","link":"https:\/\/shwani.dev\/?p=98","title":{"rendered":"Bypassing Laravel Default File Upload Validation"},"content":{"rendered":"\n

Hello Fellow Hackers, I am Ahmed Kameran , Security Researcher from Kurdistan, Iraq.<\/p>\n\n\n\n

Hope you are doing well. I want to talk about one of my research’s in Laravel Core framework which allows to bypass Laravel default upload validation using different PHP extensions.<\/p>\n\n\n\n

<\/p>\n\n\n\n

Laravel Default behavior for file upload restriction<\/strong><\/p>\n\n\n\n

Laravel by default will block set of PHP extensions from uploading into the laravel application using this function.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

If you try to upload a file with these blocked extensions the validation will return an exception as these extensions were blocked by Laravel, let’s try to upload a file with (.php) extension:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

As we can see from above screenshot uploading a file with .php extension was blocked by Laravel file validation because .php was in this array list of blocked extensions:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

<\/p>\n\n\n\n

<\/p>\n\n\n\n

Bypassing Laravel File Upload Validation<\/strong><\/p>\n\n\n\n

The Laravel default function to prevent uploading .php extensions was not blocking .php7 or .php8 file extensions as some web servers will treat them as a normal php executable file.<\/p>\n\n\n\n

Now if we try to upload a file with .php7 extension the uploading will be successful as we can see in below screenshot:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

As some web servers will treat .php7 or .php8 file extension as a valid PHP executable like the example below which we uploaded .php7 and it got executed on the Apache web server as a valid PHP which can lead to Remote command execution<\/strong> on any server that accepts php7 or php8 files:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

<\/p>\n\n\n\n

Fixing the issue<\/strong><\/p>\n\n\n\n

I just opened a pull request to Laravel core that i added php7 and php8 into the array of blocked list PHP extensions.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

You can find my pull request HERE<\/a>.<\/p>\n\n\n\n

<\/p>\n\n\n\n

Vulnerable Laravel Applications<\/strong><\/p>\n\n\n\n

This issue was fixed in the Laravel’s latest version (v9.36.1<\/a>) so all versions before that were vulnerable to this type of attack.<\/p>\n\n\n\n

Vulnerable versions<\/p>\n\n\n\n

\n

9.x<\/p>\n\n\n\n

8.x<\/p>\n\n\n\n

7.x<\/p>\n\n\n\n

6.x<\/p>\n\n\n\n

5.x<\/p>\n\n\n\n

<\/p>\n<\/div><\/div>\n\n\n\n

Vulnerable Web servers<\/strong><\/p>\n\n\n\n

During my research i found out, A lot of cloud and host providers will configure there web servers to execute php7 and php8 file extensions as a normal php file.<\/p>\n\n\n\n

Here is an example of vulnerable configured Apache web server.
This is contents of \/etc\/apache2\/conf\/mime.types file<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

<\/p>\n\n\n\n

Fixing Web servers<\/strong><\/p>\n\n\n\n

Make sure your web server configuration didn’t treat other php extension types as a valid php file like example above.<\/p>\n\n\n\n

Also you can add .htaccess file to uploads directory to prevent execution of PHP in uploads directory which is controlled by end users.
Add this to .htaccess file in uploads directory<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

<\/p>\n\n\n\n

Mitigation<\/strong><\/p>\n\n\n\n

Upgrade Laravel to latest version (v9.36.1<\/a>) or make sure you configure your web server correctly so its does not treat other .php extensions as a normal PHP executable.<\/p>\n\n\n\n

<\/p>\n\n\n\n

Thanks<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"

Hello Fellow Hackers, I am Ahmed Kameran , Security Researcher from Kurdistan, Iraq. Hope you are doing well. I want…<\/p>\n","protected":false},"author":1,"featured_media":418,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[4,20,19,18,22,21],"acf":[],"_links":{"self":[{"href":"https:\/\/shwani.dev\/index.php?rest_route=\/wp\/v2\/posts\/98"}],"collection":[{"href":"https:\/\/shwani.dev\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/shwani.dev\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/shwani.dev\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/shwani.dev\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=98"}],"version-history":[{"count":24,"href":"https:\/\/shwani.dev\/index.php?rest_route=\/wp\/v2\/posts\/98\/revisions"}],"predecessor-version":[{"id":421,"href":"https:\/\/shwani.dev\/index.php?rest_route=\/wp\/v2\/posts\/98\/revisions\/421"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/shwani.dev\/index.php?rest_route=\/wp\/v2\/media\/418"}],"wp:attachment":[{"href":"https:\/\/shwani.dev\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=98"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/shwani.dev\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=98"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/shwani.dev\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=98"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}