flatCore / flatCore-CMS

flatCore is a Web Content Management System (CMS) based on PHP and MySQL/SQLite.
https://flatcore.org
GNU General Public License v3.0
50 stars 16 forks source link

Upload web shell flatcore Version 2.0.8 #58

Closed ngochieu-kiminawa closed 1 year ago

ngochieu-kiminawa commented 3 years ago

Upload web shell A clear and concise description of what the bug is.

To Reproduce Steps to reproduce the behavior:

  1. Login to flatcore CMS (admin user)
  2. Click on 'Addons'
  3. Click on 'Install'
  4. Click on 'Plugin'
  5. Choose a malious PHP file example is webshell.php
  6. URL for malious PHP file: http://domain/upload/plugins/webshell.php image

Screenshots This POC for vuln :https://youtu.be/3w1M9eL_JiI file payload webshell.zip

Desktop (please complete the following information):

OS: tested in Linux Browser : All Version : Last version

Additional context This vulnerability is extremely serious affecting the system. An attacker can take control of the entire server.

patkon commented 3 years ago

That's the same as Issue #58

hieuminhnv commented 3 years ago

@patkon
Has RCE via Module Addons been fixed yet? on version 2.0.9

patkon commented 3 years ago

Not really fixed. The admin has to confirm a message that he knows what he is uploading. See: Issue #54 I'm working on the possibility that you can turn off the entire upload vie config.php file.

patkon commented 3 years ago

And here we go. Uploads for Addons are deactivated by default now. You can switch this on/off in your own config.php file.