Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PHP Code Execution Via Inject Malicious Code Or Create New Php File In Zip Theme #2374

Closed
KietNA-HPT opened this issue Aug 26, 2021 · 4 comments

Comments

@KietNA-HPT
Copy link

#KietNA From Inv1cta Team, HPT Cyber Security Center
Describe the bug

The attacker can abuse upload theme function to insert malicious php code or php file into zip file and upload to server, then the function will extract that file to "webroot/themes/[Theme Folder], the attacker can access and execute arbitrary code

Version

PHPFusion version: PHPFusion 9.03.110

To Reproduce

Steps to reproduce the behavior:

  1. Add " " in line one php file of plugin or create a php file in any folder then zip it (i create kietna.php file in forum folder)
  2. Go to Theme Manager function in admin panel
  3. Click on Upload New Theme tab
  4. Upload malicious zip file
  5. Access "/themes/[Plugin Folder]/theme.php?0=ls" or "/themes/[Plugin Folder]/forum/kietna.php?0=ls" to execute arbitrary code

Screenshots

image
image
The function extracted malicious zip file:
image
Execute code:
image

Additional context

It is look like CVE-2019-11631: https://www.exploit-db.com/exploits/46775

@RobiNN1
Copy link
Contributor

RobiNN1 commented Aug 26, 2021

Man. It's fuc* theme that must contains php.

Fix is simple, disable this upload function in Theme manager but there are users that uses it.. // removed after discussion with Fred

Also if you have access to administration you can run php from multiple places..

@RobiNN1 RobiNN1 closed this as completed Aug 26, 2021
@FrederickChan
Copy link
Member

Any scripts in admin panel vulnerabilities caused by Administrator itself is not covered. You must as well give him Shell Access to your server and claim the whole software is vulnerable.

RobiNN1 added a commit that referenced this issue Aug 26, 2021
@FrederickChan
Copy link
Member

FrederickChan commented Aug 27, 2021 via email

@KietNA-HPT
Copy link
Author

Those involved in this better promote PHPFusion’s security features after this. If everything is handled like this,no more headache for all of us.
On Thu, 26 Aug 2021 at 3:53 PM, Róbert Kelčák @.***> wrote: Closed #2374 <#2374>. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#2374 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA7DTWJLLS7XAIG4EBGZQB3T6XXF5ANCNFSM5C2TYJRQ .
-- Regards, Frederick Chan

Thanks for your reply, I feel happy becase you considered my issue

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants