Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Arbitrary File Upload - Security #812
I was trying the application for a while and noticed that a regular user ( Editor role ) can upload arbitrary file, in this case a PHP file. By then he can run remote PHP command on server context.
Is it OK to describe the vulnerability here ? or you prefer to send it in private ?
The uploading function for pictures is done by POSTing in "/admin/ajax/upload-files" , the Editor role User can upload pictures when he create or modify a content.
Now malicious user can modify the HTTP request to edit the photo content and name, here I am using a Burp suite proxy to do it:
and the response is:
Next the malicious user can request the uploaded PHP file since the path is known from the HTTP response. Here I am running a system command using the PHP page:
By now the malicious user have a remote command execution thru the web-shell, can run any terminal command he want. for example download the user database file ( XML ) and start cracking all users passwords since the hash is stored along with the salt.