Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feehicms-2.0.8 can be attacked directly to getshell via the avatar uploads #46

Closed
tatsumaki002 opened this issue Dec 4, 2019 · 1 comment

Comments

@tatsumaki002
Copy link

There is an arbitrary file upload vulnerability in the background avatar upload.

The CMS only verified the suffix of the file in the front end by js, and we found that we could upload the PHP scripts directly after using Burp Suite for package capture modification.
1
The attacker can modify the box in the picture and upload the PHP script directly, It also returns the upload path(In the red box on the right of the figure above).

When the PHP file content is a Trojan, attackers can get the shell directly.

Here I used Behinder as a shell management tool, and getshell successfully.
2
3
4

@liufee
Copy link
Owner

liufee commented Dec 24, 2019

thanks for the feedback.
it has been fix, see commit.
because yii2 FileValidator need custom assign value to attribute

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants