Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

File upload vulnerability #1242

Closed
zongdeiqianxing opened this issue Jul 24, 2020 · 9 comments
Closed

File upload vulnerability #1242

zongdeiqianxing opened this issue Jul 24, 2020 · 9 comments

Comments

@zongdeiqianxing
Copy link

Bludit v3.13.0 has a file upload vulnerability in 'backup' plugin . It requires administrator privileges .

1 open http://10.150.10.170/admin/plugins
Activate 'backup' plugin and click the Settings
image

2 open http://10.150.10.170/admin/configure-plugin/pluginBackup
upload the 'https://github.com/zongdeiqianxing/files/blob/master/2020-07-24-13-58-42.zip' zip file that I provide .
The zip file has a 1.php in the bl-content\uploads directory,
Notices: please be careful not to open or modify this zip file, because this will cause an error
image

3 click the 'Restore Backup'
image

4 http://192.168.61.242/bl-content/uploads/1.php
Open the url can see phpinfo ,and can use 'ant' to connect the backdoor via http://xx.xx.xx.xx/bl-content/uploads/1.php
image
image

@clickwork-git
Copy link
Contributor

Open the url can see phpinfo ,and can use 'ant' to connect the backdoor via http://xx.xx.xx.xx/bl-content/uploads/1.php.

I do not understand how you will connect using 'ant'. The given URL shows only phpinfo(). To give access to phpinfo() is in any case not a good idea.

And: To upload the file 1.php you need admin access in Bludit or access to the server.

@zongdeiqianxing
Copy link
Author

Yes , i show the phpinfo() just want to prove that the vulnerability exists .
And you can use https://github.com/AntSwordProject/AntSword-Loader/blob/4.0.3/AntSword-Loader-v4.0.3-win32-x64.zip to connect the 1.php , or you can learn 'webshell' first.

@clickwork-git
Copy link
Contributor

Makes still no sense. You use admin rights or access to the server. With this you can always "hack" your own installation.

@zongdeiqianxing
Copy link
Author

If someone steals the administrator password, then can use this vulnerability to execute arbitrary system commands

@dignajar
Copy link
Member

Ideas how to solve this issue?

@zongdeiqianxing
Copy link
Author

If you cannot control the number of files and file content in the backup file, you can consider performing secondary authentication for this functional module

@ghost
Copy link

ghost commented Jul 29, 2020

A secondary authentication is an interesting idea, but how should it work?

I mean the user has administrator rights.

It doesn’t make sense to use an email link, since the admin can change them to his own one before. An additional password also doesn’t help either, since he obviously already figured out the password of the admin account.

A solution would be to look at each single file of the backup archive instead, but that’s maybe horrible slow if the Bludit website has hundreds or thousands of pages and files.

The Backup plugin could also generate a unique signature and sign all the backup archives with them using their hashed value. But, in this case you need to keep the ‘signature key’ if you need to upload the backup on another website or if the backup plugin or the signature file respectively gets removed From the Bludit installation itself. (The only benefit would be, that the archive can still be manually uploaded to the Bludit website if something like that happened).

@zongdeiqianxing
Copy link
Author

Yes, your idea is very good, it can fix this vulnerability .

@dignajar
Copy link
Member

Hello, with the new version of Bludit v4.0 rc1, I would like to close the old Github issues. If you feel that your issue is not resolved in the latest version, create a new ticket.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

3 participants