WebPageTest Arbitrary File Upload Vulnerability Leading to Remote Code Execution

An arbitrary file upload vulnerability has been identified in WebPageTest versions through 2.6. The issue resides in the resultimage.php script, where the application fails to properly validate or sanitize user input before saving uploaded files to a publicly accessible directory. This vulnerability allows remote attackers to upload and execute arbitrary PHP code, achieving full remote code execution under the context of the web server.

Impact

Exploitation of this vulnerability allows for arbitrary file uploads, with uploaded files being executed as PHP scripts. This leads to remote code execution on the server, under the web server's user privileges.

Reproduction

To reproduce this vulnerability, upload a PHP file containing a payload through the 'file' parameter of the 'resultimage.php' script. The uploaded file will be saved in the 'results' directory, where it can be accessed and executed, triggering the payload. This vulnerability can also be exploited using the 'dopublish.php' and 'workdone.php' scripts, which similarly allow for arbitrary file uploads that can be exploited for remote code execution.