Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
[SECURITY] Web Shell Upload #979
About audited Directus version.
An attacker can exploit the file upload function (which lacks efficient restrictions and validations) by uploading web shell to uploads storage directory. Thus, the attacker can take control of the accounts and workstations of application users and administrators and the server itself.
The attacker does not need a very high level of technological knowledge to perform this attack. However, he does need specially crafted malicious files.
A malicious user can complete take over the application and the server.
The upload functionality allows to a user to upload image as a avatar in its profile, however because there are no any validations of the uploaded file types and because of uploaded directory has a
In the screenshots bellow it is possible to see that web shell file was uploaded to the sever via avatar upload functionality. As it is possible to see an attacker was able to run commands on the backend server.
As the application sets cookie
It was also possible to see that every user has a direct access to the uploaded file:
Once, an attacker knows which type of shell he needs the next step is uploading web shell itself:
It is possible to see that an attacker is able to run commands on the backend server itself, thus can completely compromise the server.
What problem does this feature solve?
Fixes security hole.
How do you think this should be implemented?
Would you be willing to work on this?
Maybe, with help/guidance from Directus team.
After some investigation it turns out that file permissions doesn't forbid browser execution. I've changed permissions of uploaded php file with
It's weird that this lines in
First solution from web search is How to show PHP files as plain text in Apache. So I tried that:
<FilesMatch "\.(php|phps|php5|htm|shtml|xhtml|cgi.+)$"> php_flag engine off ForceType text/plain </FilesMatch>
PHP works. Next I checked precise example from post:
<FilesMatch "\.(php|phps|php5|htm|shtml|xhtml|cgi.+)$"> php_flag engine off #This will prevent apache from executing *.php-files AddType text/plain php #this wil display php-files in browser (if not, browser will want to download file!) </FilesMatch>
Doesn't help, PHP executes. As last solution I've forbid access to PHP files:
<FilesMatch "\.(php|phps|php5|htm|shtml|xhtml|cgi.+)$"> Order Deny,Allow Deny from All </FilesMatch>
This one gives
Re: Docker, I believe the updated docker setup will rely on Apache (@WoLfulus?)
Seeing that static files are served from the webserver directly–which means it bypasses the Directus API–there's nothing we can do in the API itself to mitigate this issue for every possible webserver
Would there be any possibility to have a PHP endpoint for files instead of relying directly on the webserver @directus/api-team? That way we might be able to fix it regardless of webserver.
Generally speaking: the less reliance on Apache proprietary stuff the better
Ah, I was thinking of this page:
I think passing all files through the backend/API would give us a lot of control and flexibility — but we'd need to make absolutely sure that this wouldn't add too much overhead, latency, issues, etc. Also, it would be nice if this could be bypassed to access files traditionally (if all are set to public).
Thanks @pgl — I've updated the intro to that page to be more clear! :)