-
Notifications
You must be signed in to change notification settings - Fork 119
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Subrion allows to upload pht, phar extensions. #801
Comments
Note: |
I got the CVE Numbers for this vulnerability - CVE-2018-19422. |
Hi, Thanks for your report. Could you please explain the first step?
What would be the idea to upload files if you have admin login details? Sounds a bit useless. All the frontend upload fields are validated and there is no way to upload files being logged in as non-admin. Thanks |
I glad to see your comment 😄 Before the start to write the answer for your comment, I didn't understand the point of your questions exactly, so this comment might not be the enough answer for yours. 😭 If this comment is not answered for your question, please comment me about the details of your question. First step means - Login as the user who can use the upload feature, and move to the upload pages ( admin panel / content / uploads ). I found this vulnerability in the upload feature and the user needed the admin details for using this feature. Main problem of this vulnerability was from lack of the blacklist in the So, I think the account problems (stolen admin details or session etc..) should consider as only the requirements for triggering this vulnerability. (In other words, the account problem can affect to decrease the severity of this vulnerability. Thanks! |
Thanks for the report. Yes, the note sounds indeed reasonable - we will definitely modify .htaccess and exclude php-executables within uploads/ folder. |
I agree with your words. 😄 Admin panel might have some management features even they are dangerous. It is intended features. Therefore, misuse of the dangerous feature without other vulnerability( e.g. XSS ) is not the vulnerability of the feature. It is just the permission management fail. Thank you! |
Thanks. Added to the version now. |
Brief of this vulnerability
In uploading process, Subrion allows to upload pht, phar files. There are able to execute as PHP script following server environment.
Test Environment
Affect version
4.2.1
Payload
move to
http://[address]:[port]/[app_path]/panel/uploads
with admin credentialSave php codes with pht or phar extensions. and upload it like below.
Right Click and Open the uploaded file name or
move to
http://[address]:[port]/[app_path]/uploads/[uploaded file].
Profit!
Reason of This Vulnerability
Subrion has
.htaccess
file for preventing execution of uploaded file.In upload directory,
.htaccess
did not prevent execution of the files that have thepht
andphar
extensions. As a result, they are able to execute as PHP script.I tested the
pht
extensions because my test environment is PHP 5.6, somod_php
can not executephar
extension scripts as PHP. But If Subrion installed in PHP 7.2+ envrionment,phar
extension is also able to execute as PHP.The text was updated successfully, but these errors were encountered: