ClipBucket TOCTOU Race Condition Vulnerability in Avatar and Background Image Upload Allowing Remote Code Execution

A Time-of-Check to Time-of-Use (TOCTOU) race condition vulnerability has been identified in ClipBucket version 5 prior to 5.5.3 - #40. The vulnerability exists in the avatar and background image upload functionality, where the application moves uploaded files to a web-accessible location before validating them. This creates a window of opportunity for an attacker to execute arbitrary PHP code before the file is deleted. The issue arises because the uploaded file is first moved to a public directory using 'move_uploaded_file()', and validation is performed afterward. If the validation fails, the file is deleted, but the race condition allows for exploitation before the deletion occurs.

Impact

Exploitation of this vulnerability allows for remote code execution on the server as the web server user, typically 'www-data' or 'containeruser' in Docker.

Reproduction

To reproduce this vulnerability, an authenticated user can upload a file through the avatar or background image upload features. The file is moved to a web-accessible location before it is validated. If the uploaded file is a PHP script, it can be executed via a concurrent HTTP request, taking advantage of the brief window before the file is deleted.

Remediation

Users are advised to update to ClipBucket version 5.5.3 - #40 or later. In versions prior to 5.5.3 - #40, the vulnerability can be mitigated by validating files before moving them to a web-accessible location.