Skip to content
This repository was archived by the owner on Jan 6, 2023. It is now read-only.
This repository was archived by the owner on Jan 6, 2023. It is now read-only.

[SECURITY] Web Shell Upload #979

Closed
@ybelenko

Description

@ybelenko

Feature Request

About audited Directus version.
It has been cloned from suite repo.
Latest commit directus/directus@1d151a9

Description:

An attacker can exploit the file upload function (which lacks efficient restrictions and validations) by uploading web shell to uploads storage directory. Thus, the attacker can take control of the accounts and workstations of application users and administrators and the server itself.

The attacker does not need a very high level of technological knowledge to perform this attack. However, he does need specially crafted malicious files.

Business risk:

A malicious user can complete take over the application and the server.

Technical details:

The upload functionality allows to a user to upload image as a avatar in its profile, however because there are no any validations of the uploaded file types and because of uploaded directory has a execute permissions this functionality can be abused by a malicious user in order to upload web shell and take over the whole system.

In the screenshots bellow it is possible to see that web shell file was uploaded to the sever via avatar upload functionality. As it is possible to see an attacker was able to run commands on the backend server.

As the application sets cookie PHPSESSID – it is possible to understand that the server-side programming language is PHP.

img1

It was also possible to see that every user has a direct access to the uploaded file:

img2

And

img3

Once, an attacker knows which type of shell he needs the next step is uploading web shell itself:

img4

It is possible to see that an attacker is able to run commands on the backend server itself, thus can completely compromise the server.

What problem does this feature solve?

Fixes security hole.

How do you think this should be implemented?

  • The uploaded file types must be restricted only to the necessary file types and be validated on the server side.
  • Uploaded directory should not have any execute permission and all the script handlers should be removed from these directories.

Would you be willing to work on this?

Maybe, with help/guidance from Directus team.

Metadata

Metadata

Assignees

No one assigned

    Labels

    alt stackExtend unofficial support to alternate stackbugSomething isn't working

    Type

    No type

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions