flatpressblog / flatpress

FlatPress is a lightweight, easy-to-set-up flat-file blogging engine.
https://flatpress.org
GNU General Public License v2.0
185 stars 57 forks source link

Vulnerability RCE #217

Closed JuyLang closed 6 months ago

JuyLang commented 1 year ago

I would like to report a vulnerability on the hunterdev platform that enables remote code execution and stores XSS. Could you kindly investigate and take the necessary actions to address this issue?

Vulnerability RCE: https://huntr.dev/bounties/d87e0117-788b-45f8-a06a-483246fa8160/

Vulnerability Stored XSS: https://huntr.dev/bounties/ed803c13-0858-4c22-93ba-bf2384ab1e9d/

azett commented 1 year ago

Thanks for reporting, we'll look into it!

DeltaLima commented 1 year ago

I would like to have a look into it, as this is an RCE and should be fixed asap. Unfortunately I don't have access to the linked huntr.dev entry - I logged in there with my github account. Maybe someone could give me access to it, so I can have a look to it?

JuyLang commented 1 year ago

I would like to have a look into it, as this is an RCE and should be fixed asap. Unfortunately I don't have access to the linked huntr.dev entry - I logged in there with my github account. Maybe someone could give me access to it, so I can have a look to it?

I can't give access, you need to verify you as owner with hunter.dev Previous reports can still be processed, please contact your team again

azett commented 1 year ago
JuyLang commented 10 months ago

I can submit vuln

There is confusion, the vulnerability I reported is different from this issue. I will send it as a cve report via email

Fraenkiman commented 10 months ago

Hello @JuyLang

Thank you for your attention. I assumed that it was only about the *.xsig extension. The Feature currently only checks file extensions using a "negative list". I have not yet succeeded in switching to a "positive list". @DeltaLima , Would you like to see how this can be rewritten?

Note: Paste to file plugin.prettyurls.php

<IfModule mod_rewrite.c>
RewriteEngine On
# Protects the htacces file from external access, status code 403 "Forbidden" is output
RewriteRule ^\.htaccess$ - [F]

(Only works with web servers that support control via htaccess)

With best regards Frank

JuyLang commented 10 months ago

Hello @JuyLang

Thank you for your attention. I assumed that it was only about the *.xsig extension. The Feature currently only checks file extensions using a "negative list". I have not yet succeeded in switching to a "positive list". @DeltaLima , Would you like to see how this can be rewritten?

Note: Paste to file plugin.prettyurls.php

<IfModule mod_rewrite.c>
RewriteEngine On
# Protects the htacces file from external access, status code 403 "Forbidden" is output
RewriteRule ^\.htaccess$ - [F]

(Only works with web servers that support control via htaccess)

With best regards Frank

Hi @Fraenkiman

Root cause analysis is due to possible .htaccess content changes. At this point, you can change any extension to still be able to execute remote code., example: AddType application/x-httpd-php .abc Then the .abc File will execute similar to php https://www.geeksforgeeks.org/what-is-htaccess-file-in-php/

Fraenkiman commented 10 months ago

Hello @JuyLang

Root cause analysis is due to possible .htaccess content changes. At this point, you can change any extension to still be able to execute remote code., example: `AddType application/x-httpd-php .abc ....

In principle, I agree with you that it is possible to add any extension in this way. However, my solution above is intended to prevent the htaccess file from being changed from outside/as a visitor. Only a FlatPress administrator can change the file and add any extension. So I don't see such a big risk. I can't think of any reason why the FlatPress admin should allow any extensions besides .php .htm .html, unless he wants to deliberately endanger his web server.

Nevertheless, I think it is important to only allow certain file extensions for the upload.

I have also brought @DeltaLima on board. He might be able to help us create a positive upload filter. Can the vulnerability also be exploited if you are not logged into the administration area? I would very much appreciate it if you could point out any other weaknesses.

With best regards Frank

JuyLang commented 10 months ago

Xin chào@JuyLang

Phân tích nguyên nhân gốc rễ là do nội dung .htaccess có thể thay đổi. Tại thời điểm này, bạn có thể thay đổi bất kỳ tiện ích mở rộng nào để vẫn có thể thực thi mã từ xa., ví dụ: `AddType application/x-httpd-php .abc ....

Về nguyên tắc, tôi đồng ý với bạn rằng có thể thêm bất kỳ tiện ích mở rộng nào theo cách này. Tuy nhiên, giải pháp của tôi ở trên nhằm ngăn chặn việc thay đổi tệp htaccess từ bên ngoài/với tư cách là khách truy cập. Chỉ quản trị viên FlatPress mới có thể thay đổi tệp và thêm bất kỳ tiện ích mở rộng nào. Vì vậy tôi không thấy rủi ro lớn như vậy. Tôi không thể nghĩ ra bất kỳ lý do nào khiến quản trị viên FlatPress nên cho phép bất kỳ tiện ích mở rộng nào ngoài .php .htm .html, trừ khi anh ta muốn cố tình gây nguy hiểm cho máy chủ web của mình.

Tuy nhiên, tôi nghĩ điều quan trọng là chỉ cho phép tải lên một số phần mở rộng tệp nhất định.

Tôi cũng đã mang@DeltaLima trên tàu. Anh ấy có thể giúp chúng tôi tạo bộ lọc tải lên tích cực. Lỗ hổng có thể bị khai thác nếu bạn chưa đăng nhập vào khu vực quản trị không? Tôi sẽ rất cảm kích nếu bạn có thể chỉ ra bất kỳ điểm yếu nào khác.

Trân trọng Frank Hi @Fraenkiman

I agree with you about the above solution and can only change .htaccess with admin rights, in addition I also discovered some other security holes. I will report as cve report.

This report is valid, can you please specify a CVE, currently Huntrdev doesn't support that.

Thanks & regards Juylang

azett commented 6 months ago

Remote code execution: https://huntr.dev/bounties/d87e0117-788b-45f8-a06a-483246fa8160/

As mentioned above: Editing the .htaccess is only possible when logged in. I opened #379 to discuss this, though.

XSS Stored: https://huntr.dev/bounties/ed803c13-0858-4c22-93ba-bf2384ab1e9d/

Finally confirmed and closed on huntr. Thanks for testing and reporting!