Skip to content

[SEC-006] Unrestricted File Upload - Arbitrary File Upload of Image and Audio for Song

Description

Despite restrict file type in form for image and audio like this:

      <div class="song__input">
        <label for="file_lagu">Upload Lagu:</label>
        <input type="file" required name="file_lagu" id="file_lagu" accept="audio/*"/>
      </div>
      <div class="song__input">
        <label for="image_file">Gambar Cover Lagu:</label>
        <input type="file" name="image_file" id="image_file" accept="image/*"/>
      </div>

Users can still upload arbitrary file including .php file. However, after further investigation, despite they can upload php file, the file won't be executed thus have less severity than anticipated.

Severity

This bug has severity MEDIUM. Despite cannot execute script, it's a security smell in itself.

Affected URL

  • /lagu/add
  • /, given the file is included as image.
  • /lagu/:id, with id is id of the song with the payload, including /lagu/:id/edit
  • /search given the song that have the file as image is shown in the result.

Attachment

Able to add php script Success Submit Probably get Sent But get downloaded instead