Remote Code Execution via File Upload Restriction Bypass

[loopspell]

Vulnerability Description

I have observed that it is possible to upload php file on the system through manage files functionality which leads to compromise the system. As I'm able to upload malicious php file with .phar extension, and able to execute php code on the server.

Observation

On line 44-45 of files.php, I observed that the application uses blacklist extensions to restrict the php malicious file which can be easily bypassed with .phar extension.

Steps to Reproduce

1. Login into the application's admin panel.
2. Navigate to the http://<server>/admin.php?action=files.
3. Now upload the php file with .phar extension, for e.g. info.phar.

4. After uploading the php file, navigate to the http://<server>/files/info.phar.

Mitigation

• Rename the uploaded files to some random filenames, remove the file extension and then append your allowed file extension.
• Whitelisted extension approach should be applied instead of blacklisting.
• Correct use of .htaccess should be applied as shown below for preventing the php file execution in upload directory.

php_flag engine off

Reference

https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload
https://www.php.net/manual/en/apache.configuration.php

Tested Version: 4.7.13

Vulnerable Version <= 4.7.13

Note: This is bypass of previous discovered File Upload vulnerability.

[BSteelooper]

Thank you for your find.
The files upload exists to have users add all types of files to their website for download. Whitelisting is difficult since I don't know what they want to upload. this is why we took the blacklist route.

I am playing with the idea to have a minimal whitelist which the user can extent from the gut, but this makes it again possible to upload files with an executable context.

I added the php_flag. I was not aware of this option thank you.

On a side note, since the password needs to be known to exploit this, it is a deliberate upload, and this is not to be stopped, since there are always ways to achieve this.

[BSteelooper]

Could you try the latest development release?

[loopspell]

Hi @BSteelooper, php_flag in .htaccess file set correctly, so now it is not possible to execute php files from files directory.
Also, it is not possible to upload .phar extension file through manage files functionality.
Thanks for the quick fix @BSteelooper

Tested Version: 4.7.14 dev 1

[BSteelooper]

Thank you for testing. I'll push the release later today

[attritionorg]

@BSteelooper Can you confirm if this is the same issue as #91? That ticket was closed but not with a fixing commit or PR. Thanks!

[BSteelooper]

@BSteelooper Can you confirm if this is the same issue as #91? That ticket was closed but not with a fixing commit or PR. Thanks!

This is not the same issue. in issue #91 there was a bug which allowed overwrite of the .htaccess file with a blank file which would remove the protections