flatCore / flatCore-CMS

flatCore is a Web Content Management System (CMS) based on PHP and MySQL/SQLite.
https://flatcore.org
GNU General Public License v3.0
50 stars 16 forks source link

RCE via upload addons plugin #52

Closed tranquac closed 1 year ago

tranquac commented 3 years ago

RCE via upload addon plugin It was identified that an authenticated user (admin) has the possibility to upload malicious files without any restriction. In this specific case, arbitrary server side PHP code such as web shells can be uploaded. As a result the attacker can run arbitrary code on the server side with the privileges of the web server. This could lead to a full system compromise.

To Reproduce Steps to reproduce the behavior:

  1. Login to flatcore CMS (admin user)
  2. Click on 'Addons'
  3. Click on 'Install'
  4. Click on 'Plugin'
  5. Choose a malious PHP file (revershell, webshell...), example is shell.php
  6. URL for malious PHP file: http://domain/upload/plugins/shell.php

Screenshots

Desktop (please complete the following information):

Additional context This vulnerability is extremely serious affecting the system. An attacker can take control of the entire server.

tranquac commented 3 years ago

@patkon Can you help me check issue this? Looking forward to hearing from you. Thank.

patkon commented 3 years ago

In order to install addons afterwards, the upload of PHP files must be possible. Everyone should be aware that this can lead to security problems. I think I'll add a "super admin" to rights management. Possibly with an additional password entry before the upload can start. And additional safety information. Or do you have an idea how to add addons to the system?

tranquac commented 3 years ago