Closed ngochieu-kiminawa closed 1 year ago
That's the same as Issue #58
@patkon
Has RCE via Module Addons been fixed yet? on version 2.0.9
Not really fixed. The admin has to confirm a message that he knows what he is uploading. See: Issue #54 I'm working on the possibility that you can turn off the entire upload vie config.php file.
And here we go. Uploads for Addons are deactivated by default now. You can switch this on/off in your own config.php file.
Upload web shell A clear and concise description of what the bug is.
To Reproduce Steps to reproduce the behavior:
Screenshots This POC for vuln :https://youtu.be/3w1M9eL_JiI file payload webshell.zip
Desktop (please complete the following information):
OS: tested in Linux Browser : All Version : Last version
Additional context This vulnerability is extremely serious affecting the system. An attacker can take control of the entire server.