Abusing Backup/Restore feature to achieve Remote Code Execution in microweber/microweber
Mar 9th 2022
Admin can use
Backup modules to upload a malicious PHP file, which can lead to RCE.
Proof of Concept
- Log in as admin, navigate to Modules -> Backup:
- Prepare a malicious PHP file, in this case
- Compress this file to
info2php.zip, then click
Upload your backup.
- After successfully uploaded, click to Restore, choose Try to overwrite content by Names & Titles, then Start Restore
- The system returns Import format not supported
- However, the malicious file
info2.phpis unzipped and located in
/userfiles/, and that malicious PHP file can be accessible by anyone:
Remote code execution (RCE) attacks allow an attacker to remotely execute malicious code on a computer. The impact of an RCE vulnerability can range from malware execution to an attacker gaining full control over a compromised machine.
Bozhidar Slaveykov validated this vulnerability a year ago
Quan Doan has been awarded the disclosure bounty
The fix bounty is now up for grabs
commented a year ago
Hi @bobimicroweber, since the report was validated, should I remove the malicious file on the demo server? Or will you reset the site later?
Bozhidar Slaveykov marked this as fixed in 1.2.12 with commit 867bdd a year ago
This vulnerability will not receive a CVE
to join this conversation