Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security hole for upload file bypass #280

Closed
xfkxfk opened this issue May 16, 2017 · 1 comment

Comments

Projects
None yet
2 participants
@xfkxfk
Copy link

commented May 16, 2017

#' Exploit Title: File Upload Bypass
#' Vulnerability Type: Accessing, Modifying or Executing Executable Files (CAPEC-17)
#' Reporting Date: 16-05-2017
#' Author: @xfkxfk
#' Vendor Homepage: https://www.bigtreecms.org/
#' Software Link: https://github.com/bigtreecms/BigTree-CMS/
#' Version: v.4.2.28

I. Abstract

BigTree CMS is publicly licensed under the GNU Lesser General Public License
It is an open source content management system built on PHP and MySQL

II. Introduction

2.1 Accessing, Modifying or Executing Executable Files

An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.

2.2 vulnerability analysis for bigtree cms
At the file
/core/inc/bigtree/apis/storage.php
line 11
var $DisabledExtensionRegEx = '/.(exe|com|bat|php|rb|py|cgi|pl|sh|asp|aspx)/i';

The code of Regular expression shows that i could be bypassed by upload a file

sometime, the lamp environment install on ubuntu and debian with apt-get can Resolved to pht and phtml,so wo can bypass to upload a file

in http://www.attacker.com/site/index.php/admin/trees/add/
upload file Name xxx.pht or xxx.phtml

Then the attacker could get a webshell by using this method
the webshell url :
http://www.attacker.com/site/files/resources/test.pht

2.3 Solution
Use white lists instead of black lists

thank you

@timbuckingham

This comment has been minimized.

Copy link
Collaborator

commented May 25, 2017

For backwards compatibility reasons we're sticking with an updated blacklist in 4.2.19 but will be moving to a whitelist approach in BigTree 5.0. Moving the whitelist issue to a new thread and closing this issue.

Thank you for the bug report!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.