Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security hole for upload file bypass #280

Closed
xfkxfk opened this issue May 16, 2017 · 1 comment
Closed

Security hole for upload file bypass #280

xfkxfk opened this issue May 16, 2017 · 1 comment

Comments

@xfkxfk
Copy link

xfkxfk commented May 16, 2017

#' Exploit Title: File Upload Bypass
#' Vulnerability Type: Accessing, Modifying or Executing Executable Files (CAPEC-17)
#' Reporting Date: 16-05-2017
#' Author: @xfkxfk
#' Vendor Homepage: https://www.bigtreecms.org/
#' Software Link: https://github.com/bigtreecms/BigTree-CMS/
#' Version: v.4.2.28

I. Abstract

BigTree CMS is publicly licensed under the GNU Lesser General Public License
It is an open source content management system built on PHP and MySQL

II. Introduction

2.1 Accessing, Modifying or Executing Executable Files

An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.

2.2 vulnerability analysis for bigtree cms
At the file
/core/inc/bigtree/apis/storage.php
line 11
var $DisabledExtensionRegEx = '/.(exe|com|bat|php|rb|py|cgi|pl|sh|asp|aspx)/i';

The code of Regular expression shows that i could be bypassed by upload a file

sometime, the lamp environment install on ubuntu and debian with apt-get can Resolved to pht and phtml,so wo can bypass to upload a file

in http://www.attacker.com/site/index.php/admin/trees/add/
upload file Name xxx.pht or xxx.phtml

Then the attacker could get a webshell by using this method
the webshell url :
http://www.attacker.com/site/files/resources/test.pht

2.3 Solution
Use white lists instead of black lists

thank you
timbuckingham added a commit that referenced this issue May 25, 2017
@timbuckingham
Disabling phtml/pht files from being uploaded.
b722939 
#280
@timbuckingham timbuckingham mentioned this issue May 25, 2017
Open
@timbuckingham
Copy link
Collaborator

timbuckingham commented May 25, 2017
edited
Loading

For backwards compatibility reasons we're sticking with an updated blacklist in 4.2.19 but will be moving to a whitelist approach in BigTree 5.0. Moving the whitelist issue to a new thread and closing this issue.

Thank you for the bug report!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@timbuckingham @xfkxfk