New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Subrion allows to upload pht, phar extensions. #801

Open
Hexife opened this Issue Nov 14, 2018 · 2 comments

Comments

Projects
None yet
1 participant
@Hexife

Hexife commented Nov 14, 2018

Brief of this vulnerability
In uploading process, Subrion allows to upload pht, phar files. There are able to execute as PHP script following server environment.

Test Environment

  • Apache/2.4.18 (Debian)
  • PHP 5.6.38-2+ubuntu16.04.1+deb.sury.org+1 (cli)

Affect version
4.2.1

Payload

  1. move to http://[address]:[port]/[app_path]/panel/uploads with admin credential

  2. Save php codes with pht or phar extensions. and upload it like below.

# test.pht
<?php system(id);?>
  1. Right Click and Open the uploaded file name or
    move to http://[address]:[port]/[app_path]/uploads/[uploaded file].

  2. Profit!

Reason of This Vulnerability
Subrion has .htaccess file for preventing execution of uploaded file.

# Deny files access for some file extensions
<FilesMatch "(?i)\.(php|php5|php4|php3|php2|phtml|pl|py|jsp|asp|htm|shtml|sh|cgi)$">
    ForceType text/plain
    Order Deny,Allow
    Deny from All
</FilesMatch>

# Process script files as plain text
AddHandler default-handler .php .php5 .php4 .php3 .php2 .phtml .pl .py .jsp .asp .htm .shtml .sh .cgi

In upload directory, .htaccess did not prevent execution of the files that have the pht and phar extensions. As a result, they are able to execute as PHP script.

I tested the pht extensions because my test environment is PHP 5.6, so mod_php can not execute phar extension scripts as PHP. But If Subrion installed in PHP 7.2+ envrionment, phar extension is also able to execute as PHP.

@Hexife

This comment has been minimized.

Hexife commented Nov 14, 2018

Note: php7 extension was also able to upload, but it could not executable because of .htaccess placed in app root.

@Hexife

This comment has been minimized.

Hexife commented Nov 22, 2018

I got the CVE Numbers for this vulnerability - CVE-2018-19422.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment