Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

There is an arbitrary file upload vulnerability in the HYBBS upload plugin function #33

Open
shmilylty opened this issue Feb 7, 2022 · 1 comment

Comments

@shmilylty
Copy link

There is an arbitrary file upload vulnerability in the HYBBS upload plugin function

Vulnerability overview

There is an arbitrary file upload vulnerability in the upload plugin function of the HYBBS management background, which can lead to server permissions.

Vulnerability scope

All versions prior to HYBBS 2.3.3

Vulnerability environment construction

Clone the latest code factory library of HYBBS to the local, and then use phpstudy to build HYBBS.

Vulnerability reproduction steps

Make a malicious zip archive as shown below

2022-02-07-16-46-39

Upload malicious zip archives in the management background upload plugin function

2022-02-07-16-50-42

After uploading, it prompts that the upload was successful

2022-02-07-16-52-20

It can be seen from the log of the folder monitoring software that HYBBS renamed the malicious compressed package and extracted it to the Plugin directory

2022-02-07-16-54-43

2022-02-07-16-57-40

Vulnerability code analysis

Locate the code of the plugin upload function

2022-02-07-17-13-57

2022-02-07-17-14-07

HYBBS directly decompresses the compressed package and does not check the content of the compressed package, resulting in an arbitrary file upload vulnerability.

@daniuwo
Copy link
Contributor

daniuwo commented Feb 26, 2022

需要管理员才能在后台上传,普通用户没有权限的。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants