CVE-2017-14704
published 2017-09-26CVE-2017-14704: Multiple unrestricted file upload vulnerabilities in the (1) imageSubmit and (2) proof_submit functions in Claydip Laravel Airbnb Clone 1.0 allow remote…
PriorityP266high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
8.48%
94.3th percentile
Multiple unrestricted file upload vulnerabilities in the (1) imageSubmit and (2) proof_submit functions in Claydip Laravel Airbnb Clone 1.0 allow remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in images/profile.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| claydip | airbnb_clone | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests to the uploadphoto and uploadproof endpoints for file uploads containing executable extensions (e.g., .php, .Php, .phtml) in the 'profile_img_name' field, which bypass the validation applied only in imageSubmit but not in proof_submit. ↗
- →The proof_submit function performs NO mime/extension validation before moving the uploaded file, making it the more trivially exploitable vector. Alert on any non-image file extension uploaded via POST to user/edit/uploadproof. ↗
- →Detect direct GET requests to /images/profile/ or /images/proof/ for files with executable extensions (e.g., .php, .Php, .phtml, .php5) — this is the webshell access pattern following a successful upload. ↗
- →The uploaded filename is constructed as a timestamp concatenated with the original client-supplied filename. Monitor for timestamp-prefixed PHP files (e.g., YYYY-MM-DD-HH-MM-SS-shell.php) appearing under the images/profile or images/proof directories. ↗
- →Case-variation bypass (e.g., .Php) may evade naive extension blocklists. Ensure detection rules are case-insensitive when matching executable extensions in uploaded filenames. ↗
- ·The imageSubmit function includes a validation rule for mime types (jpeg, png, jpg, gif, svg), but this validation is applied to the field named 'image', NOT to 'profile_img_name' — the actual field used for the file move. This means the validation is effectively bypassed regardless of input. ↗
- ·The proof_submit function contains zero server-side validation of file type or extension before writing the file to the public web root, making it unconditionally exploitable by any authenticated user. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2017-09-26
Published