Skip to content
This repository has been archived by the owner on Jan 5, 2023. It is now read-only.

RCE via upload addons plugin #52

Closed
tranquac opened this issue Aug 13, 2021 · 3 comments
Closed

RCE via upload addons plugin #52

tranquac opened this issue Aug 13, 2021 · 3 comments

Comments

@tranquac
Copy link

tranquac commented Aug 13, 2021

RCE via upload addon plugin
It was identified that an authenticated user (admin) has the possibility to upload malicious files without any restriction. In this specific case, arbitrary server side PHP code such as web shells can be uploaded. As a result the attacker can run arbitrary code on the server side with the privileges of the web server. This could lead to a full system compromise.

To Reproduce
Steps to reproduce the behavior:

  1. Login to flatcore CMS (admin user)
  2. Click on 'Addons'
  3. Click on 'Install'
  4. Click on 'Plugin'
  5. Choose a malious PHP file (revershell, webshell...), example is shell.php
  6. URL for malious PHP file: http://domain/upload/plugins/shell.php

Screenshots

Desktop (please complete the following information):

  • OS: tested in Linux
  • Browser : All
  • Version : Last version

Additional context
This vulnerability is extremely serious affecting the system. An attacker can take control of the entire server.

@tranquac
Copy link
Author

@patkon
Can you help me check issue this?
Looking forward to hearing from you.
Thank.

@patkon
Copy link
Member

patkon commented Aug 16, 2021

In order to install addons afterwards, the upload of PHP files must be possible. Everyone should be aware that this can lead to security problems.
I think I'll add a "super admin" to rights management. Possibly with an additional password entry before the upload can start. And additional safety information.
Or do you have an idea how to add addons to the system?

@tranquac
Copy link
Author

  • This my idea for this issue:
  • If that module does not need to use functions to interact with the os shell, disable it (system, exec, shell_exec, passthru...).
  • Set permission limit read write system file permission.

patkon added a commit that referenced this issue Aug 19, 2021
We have a new option in users rightsmanagement for sensitive file uploads (addons).
Issues: #54
and #52
@patkon patkon closed this as completed Jan 5, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants