Web shell attack security issue -- Image validation missing

givanz / VvvebJs

Drag and drop page builder library written in vanilla javascript without dependencies or build tools.

https://www.vvveb.com/vvvebjs/editor.html

Apache License 2.0

6.91k stars 1.59k forks source link

Web shell attack security issue -- Image validation missing #285

Open yasmagic opened 1 year ago

yasmagic commented 1 year ago

Anyone can upload a PHP or shell script using the image tool. It does not do any validation to restrict only image file types. As a result, anyone can easily do a web shell attack and get access to the server and database.

givanz commented 1 year ago

The provided upload.php is a very basic example and is not intended to be used on production as it is.

I added file extensions checking to deny certain extensions such as php and the code can be easily changed from deny to allow list to be more restrictive.

https://github.com/givanz/VvvebJs/commit/a0825e50aef5573a174e6496f6262fd5912ab0e5

yasmagic commented 1 year ago

Thank you. Image file restriction wasn't working in your demo server. :) So, the chances of web shell attack is very high.

givanz commented 1 year ago

The VvvebJs demo does not allow upload at all, only the cms demo allows upload but it restricts php upload, this is temporary until permissions feature is implemented and the demo is reinstalled periodically.

If you found this issue in another place let me know and I will fix it.

Thanks.