Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bludit V3.12.0 -- Admin File Upload vulnerability #1218

Closed
whiskey-jj opened this issue Jun 27, 2020 · 2 comments
Closed

Bludit V3.12.0 -- Admin File Upload vulnerability #1218

whiskey-jj opened this issue Jun 27, 2020 · 2 comments

Comments

@whiskey-jj
Copy link

Describe your problem

A file upload vulnerability was discovered in Bludit V3.12.0
Hackers need administrator rights.
Hacker can use a backup file to control the server.

Steps to reproduce the problem

  1. Download the latest version of bludit from GitHub.

  2. Using burpsuite when uploading logo in the background.
    Change picture content to PHP code
    <?php eval($_POST[cmd]); ?>

QQ截图20200628011558

  1. Enable backup plugin.Generate and download a backup file, modify the extension of logo file directly in the zip file.
    If you unzip the backup to modify it, the upload will be blocked by WAF.
    image2

image3
20200628012606

  1. Access http://127.0.0.1/bl-content/uploads/BLUDIT.php to get the getshell
    image4

Vulnerability in /bl-plugins/backup/plugin.php

	public function uploadBackup($backup)
	{
		global $L;

		// Check File Type
		if ($backup["type"] !== "application/zip" && $backup["type"] !== "application/x-zip-compressed") {
			return $this->response(415, $L->get("The passed file is not a valid ZIP Archive."));
		}

		// Check File Extension
		if (stripos($backup["name"], ".zip") !== (strlen($backup["name"]) - 4)) {
			return $this->response(415, $L->get("The passed file does not end with .zip."));
		}

		// Check ZIP extension
		if(!$this->zip) {
			return $this->response(400, $L->get("The passed file could not be validated."));
		}

		// Validate ZIP File
		$zip = new ZipArchive();
		$zip->open($backup["tmp_name"]);
		if($zip->addEmptyDir("databases") || $zip->addEmptyDir("pages") || $zip->addEmptyDir("uploads")) {
			$zip->close();
			return $this->response(415, $L->get("The passed file is not a valid backup archive."));
		}
		$zip->close();

		// File Name
		$name = $backup["name"];
		$count = 0;
		while (file_exists($this->workspace() . $name)) {
			$name = substr($backup["name"], 0, -4) . "." . ++$count . ".zip";
		}

		// Move File to Backup Directory
		Filesystem::mv($backup["tmp_name"], $this->workspace() . $name);
		return $this->response(200, $L->get("The backup file could be uploaded successfully."));
	}
}

We can check the image content uploaded by users.
Or just delete the backup module

Bludit version

V3.12.0

PHP version

PHP7.3.9nts

@ghost
Copy link

ghost commented Jun 28, 2020

Hellow,

my solution, as submitted as 2 pull requests, is

  • validating the MIME Type, next to the file extension
  • adding a MD5 checksum file to the backup archive

This should fix this vulnerability.

~ Sam.

PS.: Thanks for mention Burp Suite, didn't know about this program. It's really cool. :D

@whiskey-jj
Copy link
Author

Hellow,
my solution, as submitted as 2 pull requests, is

validating the MIME Type, next to the file extension
adding a MD5 checksum file to the backup archive

This should fix this vulnerability.
~ Sam.
PS.: Thanks for mention Burp Suite, didn't know about this program. It's really cool. :D

Hello,
I found a way to bypass the new version of the restrictions to execute files.
For MD5 detection, attackers only need to set up a local environment, add PHP files in the folder (for example,\bludit-master\bl-content\uploads\profiles), and then use the zip file generated by backup function to attack other servers.
image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

1 participant