cbcvebase.
CVE-2017-14704
published 2017-09-26

CVE-2017-14704: Multiple unrestricted file upload vulnerabilities in the (1) imageSubmit and (2) proof_submit functions in Claydip Laravel Airbnb Clone 1.0 allow remote…

PriorityP266high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
8.48%
94.3th percentile
Multiple unrestricted file upload vulnerabilities in the (1) imageSubmit and (2) proof_submit functions in Claydip Laravel Airbnb Clone 1.0 allow remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in images/profile.

Affected

1 ranges
VendorProductVersion rangeFixed in
claydipairbnb_clone

Detection & IOCsextracted from sources · hover to see the quote

pathimages/profile/
urlhttp://localhost/[PATH]/user/edit/uploadphoto
urlhttp://localhost/[PATH]/user/edit/uploadproof
pathimages/profile/[$timestamp].Php
path/images/profile
path/images/proof
  • Monitor POST requests to the uploadphoto and uploadproof endpoints for file uploads containing executable extensions (e.g., .php, .Php, .phtml) in the 'profile_img_name' field, which bypass the validation applied only in imageSubmit but not in proof_submit.
  • The proof_submit function performs NO mime/extension validation before moving the uploaded file, making it the more trivially exploitable vector. Alert on any non-image file extension uploaded via POST to user/edit/uploadproof.
  • Detect direct GET requests to /images/profile/ or /images/proof/ for files with executable extensions (e.g., .php, .Php, .phtml, .php5) — this is the webshell access pattern following a successful upload.
  • The uploaded filename is constructed as a timestamp concatenated with the original client-supplied filename. Monitor for timestamp-prefixed PHP files (e.g., YYYY-MM-DD-HH-MM-SS-shell.php) appearing under the images/profile or images/proof directories.
  • Case-variation bypass (e.g., .Php) may evade naive extension blocklists. Ensure detection rules are case-insensitive when matching executable extensions in uploaded filenames.
  • ·The imageSubmit function includes a validation rule for mime types (jpeg, png, jpg, gif, svg), but this validation is applied to the field named 'image', NOT to 'profile_img_name' — the actual field used for the file move. This means the validation is effectively bypassed regardless of input.
  • ·The proof_submit function contains zero server-side validation of file type or extension before writing the file to the public web root, making it unconditionally exploitable by any authenticated user.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.