Closed JuyLang closed 6 months ago
Thanks for reporting, we'll look into it!
I would like to have a look into it, as this is an RCE and should be fixed asap. Unfortunately I don't have access to the linked huntr.dev entry - I logged in there with my github account. Maybe someone could give me access to it, so I can have a look to it?
I would like to have a look into it, as this is an RCE and should be fixed asap. Unfortunately I don't have access to the linked huntr.dev entry - I logged in there with my github account. Maybe someone could give me access to it, so I can have a look to it?
I can't give access, you need to verify you as owner with hunter.dev Previous reports can still be processed, please contact your team again
I can submit vuln
- [x] RCE: đã sửa lỗi phân loại các tệp có đuôi .xsig #257 , thx@Fraenkiman
- [ ] XSS được lưu trữ: open
There is confusion, the vulnerability I reported is different from this issue. I will send it as a cve report via email
Hello @JuyLang
Thank you for your attention. I assumed that it was only about the *.xsig extension. The Feature currently only checks file extensions using a "negative list". I have not yet succeeded in switching to a "positive list". @DeltaLima , Would you like to see how this can be rewritten?
Note: Paste to file plugin.prettyurls.php
<IfModule mod_rewrite.c>
RewriteEngine On
# Protects the htacces file from external access, status code 403 "Forbidden" is output
RewriteRule ^\.htaccess$ - [F]
(Only works with web servers that support control via htaccess)
With best regards Frank
Hello @JuyLang
Thank you for your attention. I assumed that it was only about the *.xsig extension. The Feature currently only checks file extensions using a "negative list". I have not yet succeeded in switching to a "positive list". @DeltaLima , Would you like to see how this can be rewritten?
Note: Paste to file plugin.prettyurls.php
<IfModule mod_rewrite.c> RewriteEngine On # Protects the htacces file from external access, status code 403 "Forbidden" is output RewriteRule ^\.htaccess$ - [F]
(Only works with web servers that support control via htaccess)
With best regards Frank
Hi @Fraenkiman
Root cause analysis is due to possible .htaccess content changes. At this point, you can change any extension to still be able to execute remote code., example: AddType application/x-httpd-php .abc
Then the .abc File will execute similar to php
https://www.geeksforgeeks.org/what-is-htaccess-file-in-php/
Hello @JuyLang
Root cause analysis is due to possible .htaccess content changes. At this point, you can change any extension to still be able to execute remote code., example: `AddType application/x-httpd-php .abc ....
In principle, I agree with you that it is possible to add any extension in this way. However, my solution above is intended to prevent the htaccess file from being changed from outside/as a visitor. Only a FlatPress administrator can change the file and add any extension. So I don't see such a big risk. I can't think of any reason why the FlatPress admin should allow any extensions besides .php .htm .html, unless he wants to deliberately endanger his web server.
Nevertheless, I think it is important to only allow certain file extensions for the upload.
I have also brought @DeltaLima on board. He might be able to help us create a positive upload filter. Can the vulnerability also be exploited if you are not logged into the administration area? I would very much appreciate it if you could point out any other weaknesses.
With best regards Frank
Xin chào@JuyLang
Phân tích nguyên nhân gốc rễ là do nội dung .htaccess có thể thay đổi. Tại thời điểm này, bạn có thể thay đổi bất kỳ tiện ích mở rộng nào để vẫn có thể thực thi mã từ xa., ví dụ: `AddType application/x-httpd-php .abc ....
Về nguyên tắc, tôi đồng ý với bạn rằng có thể thêm bất kỳ tiện ích mở rộng nào theo cách này. Tuy nhiên, giải pháp của tôi ở trên nhằm ngăn chặn việc thay đổi tệp htaccess từ bên ngoài/với tư cách là khách truy cập. Chỉ quản trị viên FlatPress mới có thể thay đổi tệp và thêm bất kỳ tiện ích mở rộng nào. Vì vậy tôi không thấy rủi ro lớn như vậy. Tôi không thể nghĩ ra bất kỳ lý do nào khiến quản trị viên FlatPress nên cho phép bất kỳ tiện ích mở rộng nào ngoài .php .htm .html, trừ khi anh ta muốn cố tình gây nguy hiểm cho máy chủ web của mình.
Tuy nhiên, tôi nghĩ điều quan trọng là chỉ cho phép tải lên một số phần mở rộng tệp nhất định.
Tôi cũng đã mang@DeltaLima trên tàu. Anh ấy có thể giúp chúng tôi tạo bộ lọc tải lên tích cực. Lỗ hổng có thể bị khai thác nếu bạn chưa đăng nhập vào khu vực quản trị không? Tôi sẽ rất cảm kích nếu bạn có thể chỉ ra bất kỳ điểm yếu nào khác.
Trân trọng Frank Hi @Fraenkiman
I agree with you about the above solution and can only change .htaccess with admin rights, in addition I also discovered some other security holes. I will report as cve report.
This report is valid, can you please specify a CVE, currently Huntrdev doesn't support that.
Thanks & regards Juylang
Remote code execution: https://huntr.dev/bounties/d87e0117-788b-45f8-a06a-483246fa8160/
As mentioned above: Editing the .htaccess is only possible when logged in. I opened #379 to discuss this, though.
XSS Stored: https://huntr.dev/bounties/ed803c13-0858-4c22-93ba-bf2384ab1e9d/
Finally confirmed and closed on huntr. Thanks for testing and reporting!
I would like to report a vulnerability on the hunterdev platform that enables remote code execution and stores XSS. Could you kindly investigate and take the necessary actions to address this issue?
Vulnerability RCE: https://huntr.dev/bounties/d87e0117-788b-45f8-a06a-483246fa8160/
Vulnerability Stored XSS: https://huntr.dev/bounties/ed803c13-0858-4c22-93ba-bf2384ab1e9d/