File Upload Filter Bypass in microweber/microweber

Valid

Reported on

Dec 1st 2022


Description

A sanitization filter bypass in plupload.php in MicroweberCMS v1.3.1 allows remote authenticated attackers to upload files outside the restricted location.

The target $path for the image is being sanitized here:

$path_restirct = userfiles_path();
if (isset($_REQUEST['path']) and trim($_REQUEST['path']) != '' and trim($_REQUEST['path']) != 'false') {
[...]
    $path = str_replace('..', '', $path);
    $path = str_replace($path_restirct, '', $path);

Since $path_restirct can easily be guessed (/<base path of the web directory>/userfiles/) the first str_replace can easily be circumvented by adding $path_restirct between two dots. After the second replace, directory traversal is possible. Though placing files outside of the intended location is possible, the impact has been deemed neither critical nor high due to the extension filter that is still in effect. However, the upload permits several potentially dangerous filetypes, including json, and zip for example.

  • -

A very good example for how easily this vulnerability could have turned into remote code execution is the loadPackagesComposerJson() function here. This function reads Composer.json files and uses the contents to include any specified file. Luckily, this function is deprecated and not being used at the moment.

Proof of Concept

This PoC assumes a default install of Microweber in the standard web directory of a CentOS Webserver (/var/www/html/).

1 ) Login as admin

2 ) Navigate to any file upload form (e.g. via editing a page or in the files menu)

3 ) Select a file to upload (e.g. schema.json) and capture the request

4 ) Before passing on the POST request, add this parameter to the URL: ?path=/./var/www/html/userfiles/././var/www/html/userfiles/././var/www/html/userfiles/./, where /var/www/html/ is the base web directory.

5 ) After successful upload, the file appears in the base web directory


PoC Image Upload

Though I did not manage to escalate this attack further at the moment, I believe there are at least two vectors an attacker could investigate. Firstly, placing malicious Composer.json files in arbitrary module directories (the file upload is kind enough to create any directory for us) and finding a way to trigger them. And secondly, creating malicious schema.json files that are searched for and automatically parsed every time the modules are reloaded.

I did give the latter a shot and created a PoC to trigger an SQL error (though creating arbitrary tables is possible, modifying or accessing tables was not achieved during testing).


Imgur

Impact

Allowing web users to place files at an arbitrary location might pose a severe risk depending on the environment and context of the server (shared environment, etc.). At least, the vulnerability by itself is not critical but can serve as an important gadget to other more dangerous attacks (e.g. staging malicious payloads as harmless configuration files). Additionally, excessive file uploads and database queries pose a risk for denial of service attacks.

We are processing your report and will contact the microweber team within 24 hours. a month ago
We have contacted a member of the microweber team and are waiting to hear back a month ago
Peter Ivanov validated this vulnerability a month ago
crackcat has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Peter Ivanov marked this as fixed in 1.3.2 with commit 0d279a a month ago
Peter Ivanov has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Dec 20th 2022
crackcat
a month ago

Researcher


@maintainer Thanks for the fast response, but i believe the fix at 0d279a is still vulnerable.

The path could now look like this:

// user input
?path=/.>.>/.>.>/.>.>/
// after sanitization
$path = "/../../../"

Maybe consider replacing dangerous character(-sequences) with a safe character like - or _ or, alternatively, use str_replace('.','') to remove all dots (same for slashes).

Peter Ivanov gave praise a month ago
Thanks for the recommendation
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
crackcat
18 days ago

Researcher


@admin Can you publish this? It was scheduled for the 20th.

to join this conversation