Closed s4n-h4xor closed 2 years ago
Hello, everyone,
I unfortunately successfully reproduced the security issue on FlatPress fp-1.3.dev [master] and PHP version 7.4.30.
A possible solution could be to prevent the upload of php files via uploader. Unfortunately, my PHP knowledge is not sufficient for a possible solution.
So that PHP files in the attachs folder cannot be called directly, you can add an additional htaccess with the following rule for this folder as a temporary solution:
<FilesMatch "\.(?i:php)$">
<IfModule !mod_authz_core.c>
Order allow,deny
Deny from all
</IfModule>
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
</FilesMatch>
This is then only valid for this folder. Tested with Apache/2.4.54
Best Regards
Hi, thank you very much for reporting. FlatPress 1.2 didn't check uploaded files properly at all (even if the changelog said it did). @Fraenkiman, could you please test this again?
Opening issue here, Got no reply from hello@flatpress.org for 2 months
Which I am ashamed of, totally missed this. Thank you very much for re-reporting here.
Hello, everyone,
the bug fix for the issue was successfully tested in the following upload scenarios:
Single file: shell.php ;File was not placed in the attachs images directory as expected. :heavy_check_mark: Single file: .zip; File was placed in the attachs directory as expected. :heavy_check_mark: Single file: .rar; File was placed in the attachs directory as expected. :heavy_check_mark: Single file: .png; File was placed in the images directory as expected. :heavy_check_mark: Single file: .jpg; File was placed in the images directory as expected. :heavy_check_mark: Single file: *.gif; File was placed in the images directory as expected. :heavy_check_mark:
Mixed selection - only allowed file types; .png, .gif, .jpg, .zip, rar, .mp4 and *.avi; Files were placed in the images and attachs directory as expected. :heavy_check_mark:
Mixed selection - allowed file types with forbidden file type; .png, .gif, .jpg, .php, .zip, rar, .mp4 and .avi; ;PHP file was not placed in the attachs images directory as expected. :heavy_check_mark: However, the following was noticed: #154
In my test, I was also able to successfully upload the *.js file type. This file type could potentially be exploited for similar vulnerabilities.
Conclusion: Bugfix request has been successfully tested on fp-1.3.dev [master]. I have created a new issue to address the issue.
Best Regards Frank
File upload bypass to RCE Severity: High
Description: It is observed that the application has the functionality to upload images and download them further. The download functionality is not sandboxed, and it does not have proper security control which can be bypassed by tricking webserver and uploading dangerous file types which leads to RCE.
Technical Impact: A privileged attacker can use the upload functionality to gain access to the server
Suggested Remediation:
Steps to Reproduce:
Opening issue here, Got no reply from hello@flatpress.org for 2 months