-
Notifications
You must be signed in to change notification settings - Fork 0
/
Aimeos_RCE
45 lines (32 loc) · 1.65 KB
/
Aimeos_RCE
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
Remote Code Execution via File Upload restriction bypass with path traversal in aimeos-core version < 2024.04.5
Base Score: 8.8 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Complexity: Easy
Vulnerable Products: aimeos-core
Vulnerable Versions:
>= 2024.04.1, < 2024.04.5
Patched versions:
2024.04.5
Affected Products:
1. Aimeos shop and e-commerce framework laravel
2. Aimeos shop and e-commerce framework Typo3 extention
Authentication: required
Attacks: Path Traversal, File Upload restriction bypass using GIF89a header
Gained Access: WebServer user ( Apache, Nginx, Etc… )
To Reproduce:
1. Login to your low privilege aimeos (role = editor) account & go to catalog --> Products --> Select any product --> Media
2. Upload PHP shell with GIF89a header using image upload feature.
3. Intercept the request using Burp Suite & change media.url parameter's extension to .php
4. Note down the path of the shell which can be fetched in step 3 in the media.url parameter & forward the request
5. The response will show "Error:Error saving data" but the shell will be uploaded at the above path.
6. Navigate to the shell path noted in step 4 to execute remote code
References:
https://github.com/aimeos/aimeos-core/security/advisories/GHSA-rhc2-23c2-ww7c
https://github.com/advisories/GHSA-rhc2-23c2-ww7c
https://drive.google.com/file/d/1n5_t-zmKHbx3H47xdhR5kuHTDc0Gxur3/view?usp=sharing
https://github.com/aimeos/aimeos-core/commit/5eea7aa933ac7402044bc6d282f96fba44475ee2
https://github.com/aimeos/aimeos-core/commit/13e163126adff48f987b3b6faca28551effe0205
Author:
Shail Shah
Twitter: https://x.com/ssshah2131/
LinkedIn: https://www.linkedin.com/in/ssshah2131