search

WBCE / WBCE_CMS

Core package of WBCE CMS. This package includes the core and the default addons. Visit https://wbce.org (DE) or https://wbce-cms.org (EN) to learn more or to join the WBCE CMS community.
https://wbce-cms.org
GNU General Public License v2.0
31 stars 22 forks source link

[ Security Issue ] Rename Function Restrict Bypass #490

Closed Jindom closed 3 years ago

Jindom commented 3 years ago

Hi Team,

Please note that there is a possible way to bypass the restriction and manage to upload a malicious php file to the system. The vulnerable code located in /admin/media/rename2.php

image

There aren't any filtering and protection against user's input "name" and "extension". A user may upload a file called phpinfo.txt and rename it to phpinfo.php by entering the "name" to "phpinfo.ph" "extension" to "p". The following screenshot shows that the malicious user successfully upload phpinfo.php file to the webapp directory.

image

image

instantflorian commented 3 years ago

Woops, thanks for the advice. Fixed with 462864b6fe5ca16aea882fe515cd1124381c1699