New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Arbitrary File Upload - Security #812
Comments
Hi, |
Hi Diego, The uploading function for pictures is done by POSTing in "/admin/ajax/upload-files" , the Editor role User can upload pictures when he create or modify a content. Now malicious user can modify the HTTP request to edit the photo content and name, here I am using a Burp suite proxy to do it:
Next the malicious user can request the uploaded PHP file since the path is known from the HTTP response. Here I am running a system command using the PHP page:
By now the malicious user have a remote command execution thru the web-shell, can run any terminal command he want. for example download the user database file ( XML ) and start cracking all users passwords since the hash is stored along with the salt. Mitigation: Thanks, |
Clear, I going to check the file extension, there is another way to check the EXIF data, but I need to add more requirements to the system and I don't want to add more complexity to the users. |
You welcome, Glad I can help. |
Implemented in Bludit v3.1.0. Thanks! |
Hi There,
I was trying the application for a while and noticed that a regular user ( Editor role ) can upload arbitrary file, in this case a PHP file. By then he can run remote PHP command on server context.
Is it OK to describe the vulnerability here ? or you prefer to send it in private ?
Thanks.
The text was updated successfully, but these errors were encountered: