Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unrestricted File Upload Reported #276

Closed
math1as opened this issue Apr 7, 2017 · 1 comment

Comments

Projects
None yet
2 participants
@math1as
Copy link

commented Apr 7, 2017

#' Exploit Title: Unrestricted File Upload
#' Vulnerability Type: Accessing, Modifying or Executing Executable Files (CAPEC-17)
#' Reporting Date: 07-04-2017
#' Author: @math1as
#' Vendor Homepage: https://www.bigtreecms.org/
#' Software Link: https://github.com/bigtreecms
#' Version: v.4.2.16

I. Abstract

BigTree CMS is publicly licensed under the GNU Lesser General Public License
It is an open source content management system built on PHP and MySQL

II. Introduction

2.1 Accessing, Modifying or Executing Executable Files

An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.

2.2 vulnerability analysis for bigtree cms
At the file
/core/inc/bigtree/apis/storage.php
line 11
The code of Regular expression shows that i could be bypassed by upload a file
Name ‘xxx.php[space]’
var $DisabledExtensionRegEx = '/\.(exe|com|bat|php|rb|py|cgi|pl|sh|asp|aspx)$/i';
Then the attacker could get a webshell by using this method

III. References

3.1. CAPEC-17 https://capec.mitre.org/data/definitions/17.html
3.2. https://www.owasp.org/index.php/Unrestricted_File_Upload

timbuckingham added a commit that referenced this issue Apr 7, 2017

Fixing empty space at the end of a file name allowing dangerous files…
… to be uploaded.

Thank you to math1as from l-team for the disclosure and fix.

#276

@timbuckingham timbuckingham added this to the 4.2.17 milestone Apr 7, 2017

@timbuckingham

This comment has been minimized.

Copy link
Collaborator

commented Apr 7, 2017

Thanks math1as! This will be in the 4.2.17 release today.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.