Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

File upload bypass with .phar extension lead to RCE

Author: Riccardo Krauter @ Soter IT Security

Summary

The vulnerability affect the FilePicker module, it is possible to bypass the restriction and upload a malicious file with .phar extension to gain Remote Code Execution

Steps to reproduce the issue

Prepare a PoC file with .phar extension with arbitrary php code in it.

alt img

Login into the admin area and surf to the MicroTiny WYSIWYG editor functionality then click on the insert/edit image button. The screenshot below shows this steps.

alt img

A new window will be opened, now click on the search button, the CMSMS File Picker will be shown.

alt img

Now the FilePicker module will be used. Click on the upload button.

alt img

Select the .phar malicious file.

alt img

The file should be uploaded.

alt img

Surf to the .phar file to gain RCE.

alt img

The exploit is working because the upload handler checks only if the extension contains the php string (obviously phar does not match). The exploit works fine on a standard Ubuntu system, here the configuration used for the tests:

  • Linux ubuntu 5.4.0-58-generic
  • php version 7.4.3
  • Apache/2.4.41 (Ubuntu)
  • File Picker version = "1.0.5"