GLPI 0.85.5 上传漏洞分析

在exp-db上面看到的漏洞，这是原文链接：https://www.exploit-db.com/exploits/38407/

但是POC给的很简单，这是原来的描述：

"

The application allows users to upgrade their own profile. The user has
the possibility to add a new photo as attachment.

The photo that he uploads will be stored into "GLPI_ROOT/files/_pictures/".

This file, for example named "photo.jpeg", will be directly accessible
through "http://host/GLPI_ROOT/files/_pictures/XXXX.jpeg", where "XXXX"
is an ID automatically generated by the system and visible in the HTML
source code.

Besides, the server does not check the extension of the uploaded file,
but only the first bytes within it, that indicates which kind of file is.

Exploiting this flaw, an attacker may upload a tampered jpeg file that
contains php code placed at the end of the file, so that, just changing
the file extention to ".php", by default the php code will be interpreted!
 
To trigger this vulnerability it is necessary to have an account.

This vulnerability is a combination of two issues:
- predictable uploaded file names and path
- upload of any kind of file, not limited to images

"

大概意思就是说对上传的文件不检查后缀，只检查文件内容的前一个字节，如果判定是合法内容就会上传，利用方式就是在一个正常的图片文件后面加入PHP代码即可，而且路径也好找。

本着要对漏洞形成原因知根知底的态度，还是需要看看源码的，问题是在./inc/user.class.php中

关键代码如下：

 // Move uploaded file
                   $filename     = $this->fields['id'];
                   $tmp          = explode(".", $_FILES['picture']['name']);
                   $extension    = array_pop($tmp);  //获取原始文件的后缀
                   $picture_path = GLPI_PICTURE_DIR."/$filename.".$extension; //直接拼接原来的后缀
                   self::dropPictureFiles($filename.".".$extension);

也不知道是开发人员忘了处理后缀还是怎么回事，估计也有可能是想对图片内容做二次渲染，所以就算是原来的后缀也可以不尿恶意攻击者，然而开发者忘了？
总之上传洞就这么产生了~~