Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Fix upload filter bypass leading to RCE #49
It is possible to bypass the media asset upload restrictions that are in place to prevent arbitrary PHP being executed on the server by abusing a combination of two issues.
The first is the support for uploading animated GIFs. By submitting a GIF that contains the following content we can place a GIF file that contains [currently unexecutable] PHP code in a GIF file on the server (in this case
After uploading this, the file can now be clicked and the move function can be used to move this into another directory within the application directory with a PHP extension (in this case, it is moved to
As can be seen in the below screenshot, this is now stored on the server with a valid extension:
At this point, the PHP file cannot be executed as the htaccess file found in
This prevents any PHP files under
This creates a GIF file on the server, that starts with a valid comment character, which prevents the server running into an error when parsing it during subsequent requests. The same rename bug can then be used to move this file to
After doing this, the PHP file can be accessed from the web browser, and remote code execution is gained as can be seen in the below screenshot in which
This pull request implements a rather simplistic means of patching this for now, by checking the extension of the specified destination path and blocking it if it is either
You're welcome! It should be noted that there is still potential for abuse by using a blacklist vs a white list of safe extensions.
Although I believe the default configuration of Apache / PHP adds handlers for extensions such as
It's more of an edge case scenario nowadays, but it's worth trying to fix it at some point in the future when time permits