New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authenticated Remote code Execution #7
Comments
|
Hi, tanks to report this issue, will be solved ASAP |
|
Does any fix added for this? We would like to report this to CVE Mitre for registering it with a CVE ID. Look forward to your response. |
|
Hi, this bug has been fixed |
|
This isue has been fixed in master branch
On Fri, Nov 8, 2019 at 12:00 PM Yosri Debaibi ***@***.***> wrote:
Does any fix added for this?
Look forward to your response.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#7?email_source=notifications&email_token=AABPZBB5B6EDKO2LIXIUBZTQSWLMNA5CNFSM4JH52U2KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEDSXIGA#issuecomment-551908376>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AABPZBHYKQ3SVNNIMEAZP7DQSWLMNANCNFSM4JH52U2A>
.
--
<http://www.cloudbitinteractive.com/>
Tufik Chediak Sánchez
*CEO, DEVELOPER DIRECTOR *
Phone: +1 (647) 313 9937, Toronto, Canadá.
Skype: tufik.chediak
Web: www.cloudbitinteractive.com
|
|
这个漏洞还纯在,只要通过delete,删除.htaccess,还是,可以执行.php文件 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Affected software: CuppaCMS
Type of vulnerability: Remote code execution
Discovered by: Yosri Debaibi
Description:
The file manager option allows admin users to upload images to the application, the rename function could be altered by the users, An authenticated attacker is able to upload a malicious file within an image extension (jpg,jpeg,png ..) and through a custom request using the rename function provided by the file manager is able to modify the image extension into php as a result executing php codes .
Proof of concept:
Step1: Login to the cuppa cms.
Step2:URL:http://127.0.0.1/cuppa/administrator/
Go to the File manager.

Step3: Upload our malicious php file with image extension in Upload_files.
Once it is uploaded the file is renamed with "evil_1572625596.jpg" which it is located in media/upload_files/evil_1572625596.jpg

as shown in the figure below
Step4: We launched our proxy to intercept the request then we will rename our file to evil.php using rename button in the file manager.
Step5: We deleted the jpg extension from "to:/upload_files/evil.php.jpg" parameter to change our file name to evil.php and forward the request to the server.
Step6: We had successfully uploaded our evil.php in the server.
we executed our payload by accessing the url below

http://127.0.0.1/cuppa/administrator/media/upload_files/evil.php
PHP code is executed.
The text was updated successfully, but these errors were encountered: