Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Authenticated Local File Inclusion(LFI) in fm module #33

Closed
carlcj opened this issue Aug 4, 2019 · 1 comment
Closed

Authenticated Local File Inclusion(LFI) in fm module #33

carlcj opened this issue Aug 4, 2019 · 1 comment

Comments

@carlcj
Copy link

carlcj commented Aug 4, 2019

Hello Team,

When I'm using the application, I observed that application is vulnerable to LFI(Local File Inclusion) vulnerability. an only authenticated user can perform this exploit remotely.

Step to reproduce the Vulnerability
Login into the application as an admin user or equivalent user and go the below link

http://localhost/gilacms/admin/fm/?f=src../../../../../../../../../WINDOWS/system32/drivers/etc/hosts
gilacms lfi

#################################################################
To fix the Vulnerability

  • If possible, do not permit appending file paths directly. Make them hard-coded or selectable from a limited hard-coded path list via an index variable.
  • If you definitely need dynamic path concatenation, ensure you only accept required characters such as "a-Z0-9" and do not allow ".." or "/" or "%00" (null byte) or any other similar unexpected characters.
  • It is important to limit the API to allow inclusion only from a directory and directories below it. This way you can ensure any potential attack cannot perform a directory traversal attack.

Tested on Windows 10
XAMPP version: v3.2.2
Gila CMS Version: 1.10.9

@vzuburlis vzuburlis added this to Backlog in Content Editing Aug 5, 2019
@vzuburlis vzuburlis moved this from Backlog to To do in Content Editing Aug 5, 2019
@vzuburlis vzuburlis moved this from To do to In progress in Content Editing Aug 12, 2019
@vzuburlis
Copy link
Member

The inclusion now is limited below the installation folder. Thanks @carlcj for sharing this issue

@vzuburlis vzuburlis moved this from In progress to Done in Content Editing Sep 18, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
No open projects
Development

No branches or pull requests

2 participants