Local file inclusion leading to RCE in unilogies/bumsys
Feb 28th 2023
The api handling endpoint allows for a local file inclusion that can lead to remote code execution. It requires a valid api token which can be obtained via a database backup (with account access), a number of different sql injections (with account access), or stolen from a user.
Proof of Concept
The following request can trigger the vulnerability. A valid api key needs to specified in the
secret HTTP header. The
route header specifies the file path that will be included (without the
.php extension). The attacker needs to get code onto the server which can be
accomplished via log poisoning or a different RCE found https://github.com/unilogies/bumsys/blob/9dc2de204116297a7e528c38bc3b1e89bf40f907/module/settings/ajax.php#L1712 which allows uploading arbitrary files with extension control.
GET /api/v1/ HTTP/1.1 Host: localhost:8081 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36 Connection: close secret: test route: ../../../../../shell
Exploitation of this vulnerability could result in remote code execution on the server.
Good finding. Will fix soon. Thank you
@admin, please assign a CVE.