New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
File upload vulnerability #1242
Comments
I do not understand how you will connect using 'ant'. The given URL shows only phpinfo(). To give access to phpinfo() is in any case not a good idea. And: To upload the file 1.php you need admin access in Bludit or access to the server. |
|
Yes , i show the phpinfo() just want to prove that the vulnerability exists . |
|
Makes still no sense. You use admin rights or access to the server. With this you can always "hack" your own installation. |
|
If someone steals the administrator password, then can use this vulnerability to execute arbitrary system commands |
|
Ideas how to solve this issue? |
|
If you cannot control the number of files and file content in the backup file, you can consider performing secondary authentication for this functional module |
|
A secondary authentication is an interesting idea, but how should it work? I mean the user has administrator rights. It doesn’t make sense to use an email link, since the admin can change them to his own one before. An additional password also doesn’t help either, since he obviously already figured out the password of the admin account. A solution would be to look at each single file of the backup archive instead, but that’s maybe horrible slow if the Bludit website has hundreds or thousands of pages and files. The Backup plugin could also generate a unique signature and sign all the backup archives with them using their hashed value. But, in this case you need to keep the ‘signature key’ if you need to upload the backup on another website or if the backup plugin or the signature file respectively gets removed From the Bludit installation itself. (The only benefit would be, that the archive can still be manually uploaded to the Bludit website if something like that happened). |
|
Yes, your idea is very good, it can fix this vulnerability . |
|
Hello, with the new version of Bludit v4.0 rc1, I would like to close the old Github issues. If you feel that your issue is not resolved in the latest version, create a new ticket.
|
Bludit v3.13.0 has a file upload vulnerability in 'backup' plugin . It requires administrator privileges .
1 open http://10.150.10.170/admin/plugins

Activate 'backup' plugin and click the Settings
2 open http://10.150.10.170/admin/configure-plugin/pluginBackup

upload the 'https://github.com/zongdeiqianxing/files/blob/master/2020-07-24-13-58-42.zip' zip file that I provide .
The zip file has a 1.php in the bl-content\uploads directory,
Notices: please be careful not to open or modify this zip file, because this will cause an error
3 click the 'Restore Backup'

4 http://192.168.61.242/bl-content/uploads/1.php


Open the url can see phpinfo ,and can use 'ant' to connect the backdoor via http://xx.xx.xx.xx/bl-content/uploads/1.php
The text was updated successfully, but these errors were encountered: