id: ueditor-file-upload

info:
  name: UEditor - Arbitrary File Upload
  author: princechaddha
  severity: high
  description: UEditor contains an arbitrary file upload vulnerability. An attacker can upload arbitrary files to the server, which in turn can be used to make the application execute file content as code, As a result, an attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
  reference:
    - https://zhuanlan.zhihu.com/p/85265552
    - https://www.freebuf.com/vuls/181814.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cwe-id: CWE-434
  metadata:
    max-request: 1
  tags: ueditor,fileupload,intrusive

http:
  - method: GET
    path:
      - "{{BaseURL}}/ueditor/net/controller.ashx?action=catchimage&encode=utf-8"

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      - type: word
        words:
          - "没有指定抓取源"
        part: body

# digest: 4b0a004830460221009501e1673bff22890bdf6f86f4abb6d383d42416aeac992aa6c8edbc53f42c88022100f51d9202825dc28b1c88f323a8b862eb5a5f94f8a739073f5a421506eb586aa9:922c64590222798bb761d5b6d8e72950