[SECURITY] Web Shell Upload #979
Description
Feature Request
About audited Directus version.
It has been cloned from suite repo.
Latest commit directus/directus@1d151a9
Description:
An attacker can exploit the file upload function (which lacks efficient restrictions and validations) by uploading web shell to uploads storage directory. Thus, the attacker can take control of the accounts and workstations of application users and administrators and the server itself.
The attacker does not need a very high level of technological knowledge to perform this attack. However, he does need specially crafted malicious files.
Business risk:
A malicious user can complete take over the application and the server.
Technical details:
The upload functionality allows to a user to upload image as a avatar in its profile, however because there are no any validations of the uploaded file types and because of uploaded directory has a execute permissions this functionality can be abused by a malicious user in order to upload web shell and take over the whole system.
In the screenshots bellow it is possible to see that web shell file was uploaded to the sever via avatar upload functionality. As it is possible to see an attacker was able to run commands on the backend server.
As the application sets cookie PHPSESSID – it is possible to understand that the server-side programming language is PHP.
It was also possible to see that every user has a direct access to the uploaded file:
And
Once, an attacker knows which type of shell he needs the next step is uploading web shell itself:
It is possible to see that an attacker is able to run commands on the backend server itself, thus can completely compromise the server.
What problem does this feature solve?
Fixes security hole.
How do you think this should be implemented?
- The uploaded file types must be restricted only to the necessary file types and be validated on the server side.
- Uploaded directory should not have any
executepermission and all the script handlers should be removed from these directories.
Would you be willing to work on this?
Maybe, with help/guidance from Directus team.



