Description about PHPVibeCms' vulnerability. version: 11.0.3 ≤ 11.0.46
This Directory Traversal vulnerability was find in file ./app/uploading/upload-ffmpeg.php, ./app/uploading/upload-mp3.php and ./app/uploading/upload.php. In these files, parameters from http requests are not strictly filtered, leading to the vulnerability.
The attacker can carefully construct a GET request packet containing a param ‘token’ and special headers, thus causing path traversal and writing files with the specified suffix to any web path.
The following file 'upload-ffmpeg.php' is used as a replicated example, which shows the cause of the vulnerability and details of debugging the vulnerability.
Use the following poc to access upload-ffmpeg.php
In the debug window, you can see that $new_name gets the full contents of the token.
The $target_path is by default, $new_name comes from $token, and $ext is the suffix of $fileName. Combining the first parameter of fopen, you can get the output path as follows.
Eventually, the file is written to .htaccess in the web root directory.
We can see that the POST data is added at the end.
Since cms uses .htaccess for Rewrite by default, writing .htaccess is absolutely valid!
Use the same logic to write the php code to the .png file.
The .png file is parsed and executed.
Fix: Blacklist file extension: .htaccess