Code16 Sharp Unrestricted File Upload Vulnerability in ApiFormUploadController

A vulnerability exists in the Code16 Sharp content management framework for Laravel, specifically in versions prior to 9.20.0. The issue is located in the file upload endpoint of the ApiFormUploadController, where authenticated users can bypass file type restrictions. This is possible because the upload endpoint accepts a client-controlled validation_rule parameter, which is passed directly to the Laravel validator without adequate server-side validation. By manipulating the request to include validation_rule[]=file, an attacker can circumvent all MIME type and file extension restrictions. If the storage disk for Sharp uploads is publicly accessible, this could lead to remote code execution by allowing the upload of malicious PHP files that could be executed via a web server.

Impact

Exploitation of this vulnerability allows authenticated users to upload arbitrary files, including PHP web shells, to the server. This bypasses all MIME type and file extension validations. If the storage disk is publicly accessible, it could lead to remote code execution by executing the uploaded PHP files.

Reproduction

To reproduce this vulnerability, an authenticated user can send a request to the file upload endpoint of the ApiFormUploadController. The request must include a validation_rule parameter set to 'file'. This can be done by intercepting the request and adding the parameter, which will bypass the server-side validation and allow the upload of restricted file types.

Remediation

Users are advised to update to Code16 Sharp version 9.20.0 or later, where this vulnerability has been fixed by removing client-controlled validation rules and implementing strict server-side upload regulations. As an additional measure, ensure that the storage disk used for Sharp uploads is set to private.