New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remote Code Execution via File Upload Restriction Bypass #96
Comments
From issue #96 the suggestion is to disable the php engine completely.
Added .phar to the blocked extensions per issue #96
Thank you for your find. I am playing with the idea to have a minimal whitelist which the user can extent from the gut, but this makes it again possible to upload files with an executable context. I added the php_flag. I was not aware of this option thank you. On a side note, since the password needs to be known to exploit this, it is a deliberate upload, and this is not to be stopped, since there are always ways to achieve this. |
Could you try the latest development release? |
Hi @BSteelooper, Tested Version: 4.7.14 dev 1 |
Thank you for testing. I'll push the release later today |
@BSteelooper Can you confirm if this is the same issue as #91? That ticket was closed but not with a fixing commit or PR. Thanks! |
This is not the same issue. in issue #91 there was a bug which allowed overwrite of the .htaccess file with a blank file which would remove the protections |
Vulnerability Description
I have observed that it is possible to upload php file on the system through
manage files
functionality which leads to compromise the system. As I'm able to upload malicious php file with.phar
extension, and able to execute php code on the server.Observation
On line 44-45 of
files.php
, I observed that the application uses blacklist extensions to restrict the php malicious file which can be easily bypassed with.phar
extension.Steps to Reproduce
http://<server>/admin.php?action=files
..phar
extension, for e.g.info.phar
.http://<server>/files/info.phar
.Mitigation
.htaccess
should be applied as shown below for preventing the php file execution in upload directory.Reference
https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload
https://www.php.net/manual/en/apache.configuration.php
Tested Version: 4.7.13
Vulnerable Version <= 4.7.13
Note: This is bypass of previous discovered File Upload vulnerability.
The text was updated successfully, but these errors were encountered: