Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Subrion allows to upload pht, phar extensions. #801

Closed
Hexife opened this issue Nov 14, 2018 · 7 comments
Closed

Subrion allows to upload pht, phar extensions. #801

Hexife opened this issue Nov 14, 2018 · 7 comments
Assignees
@4unkur
Labels
critical
Milestone
4.2.2

Comments

@Hexife
Copy link

Hexife commented Nov 14, 2018

Brief of this vulnerability
In uploading process, Subrion allows to upload pht, phar files. There are able to execute as PHP script following server environment.

Test Environment

  • Apache/2.4.18 (Debian)
  • PHP 5.6.38-2+ubuntu16.04.1+deb.sury.org+1 (cli)

Affect version
4.2.1

Payload

  1. move to http://[address]:[port]/[app_path]/panel/uploads with admin credential

  2. Save php codes with pht or phar extensions. and upload it like below.

# test.pht
<?php system(id);?>

  1. Right Click and Open the uploaded file name or
    move to http://[address]:[port]/[app_path]/uploads/[uploaded file].

  2. Profit!

Reason of This Vulnerability
Subrion has .htaccess file for preventing execution of uploaded file.

# Deny files access for some file extensions
<FilesMatch "(?i)\.(php|php5|php4|php3|php2|phtml|pl|py|jsp|asp|htm|shtml|sh|cgi)$">
    ForceType text/plain
    Order Deny,Allow
    Deny from All
</FilesMatch>

# Process script files as plain text
AddHandler default-handler .php .php5 .php4 .php3 .php2 .phtml .pl .py .jsp .asp .htm .shtml .sh .cgi

In upload directory, .htaccess did not prevent execution of the files that have the pht and phar extensions. As a result, they are able to execute as PHP script.

I tested the pht extensions because my test environment is PHP 5.6, so mod_php can not execute phar extension scripts as PHP. But If Subrion installed in PHP 7.2+ envrionment, phar extension is also able to execute as PHP.
@Hexife
Copy link
Author

Hexife commented Nov 14, 2018

Note: php7 extension was also able to upload, but it could not executable because of .htaccess placed in app root.

@Hexife
Copy link
Author

Hexife commented Nov 22, 2018

I got the CVE Numbers for this vulnerability - CVE-2018-19422.

@vbezruchkin
Copy link
Member

Hi,

Thanks for your report. Could you please explain the first step?

move to http://[address]:[port]/[app_path]/panel/uploads with admin credential

What would be the idea to upload files if you have admin login details? Sounds a bit useless. All the frontend upload fields are validated and there is no way to upload files being logged in as non-admin.

Thanks

@Hexife
Copy link
Author

Hexife commented Jan 25, 2019

I glad to see your comment 😄

Before the start to write the answer for your comment, I didn't understand the point of your questions exactly, so this comment might not be the enough answer for yours. 😭

If this comment is not answered for your question, please comment me about the details of your question.

First step means - Login as the user who can use the upload feature, and move to the upload pages ( admin panel / content / uploads ).

I found this vulnerability in the upload feature and the user needed the admin details for using this feature.

Main problem of this vulnerability was from lack of the blacklist in the .htaccess.
(I didn't think it was intended behavior, because other php-executable extension was already blocked in the .htaccess)

So, I think the account problems (stolen admin details or session etc..) should consider as only the requirements for triggering this vulnerability.

(In other words, the account problem can affect to decrease the severity of this vulnerability.
But it can't be countermeasure this problem.)

Thanks!

@vbezruchkin
Copy link
Member

Thanks for the report. Yes, the note sounds indeed reasonable - we will definitely modify .htaccess and exclude php-executables within uploads/ folder.
Anyhow, we all understand the admin should be careful about the feature that allows to manage files within directory. The system still should be manually tuned when it comes to admin panel functionality.
For example we have a functionality that allows to create/edit blocks with php content, and this part might be also very dangerous. Admins should clearly understand what they allow and what's permitted.

@Hexife
Copy link
Author

Hexife commented Jan 25, 2019

I agree with your words. 😄

Admin panel might have some management features even they are dangerous.

It is intended features.
(I think that one of the important point to vulnerability is that the behavior is intended or not.)

Therefore, misuse of the dangerous feature without other vulnerability( e.g. XSS ) is not the vulnerability of the feature.

It is just the permission management fail.

Thank you!

@vbezruchkin vbezruchkin added this to the 4.2.2 milestone Feb 23, 2019
@vbezruchkin
Copy link
Member

Thanks. Added to the version now.

@Hexife Hexife mentioned this issue Jun 26, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@4unkur 4unkur

Labels
critical
Projects
None yet
Milestone
4.2.2
Development

No branches or pull requests
3 participants
@vbezruchkin @4unkur @Hexife