PHP command execution exists in edit blog template in monstra 3.0.4 - Githubissues

monstra-cms / monstra

THIS PROJECT IS NOT SUPPORTED ANYMORE! Check FLEXTYPE.ORG

http://flextype.org

MIT License

396 stars 123 forks source link

PHP command execution exists in edit blog template in monstra 3.0.4 #468

Open yanqian1993 opened 4 years ago

yanqian1993 commented 4 years ago

Vulnerability profile: In edit blog template, we can control the website system by writing PHP executable code and running malicious code Test environment: PHP version 5.6.2 +appach Affected version <=3.0.4 Vulnerability details:

Use the administrative user to log in to the website: http://ip:port/monstra/admin/index.php?id=themes&action=edit_ template&filename=blog

2.Write PHP executable code in template content

3.Save the modified template content,visit:http://ip:port/monstra/blog Get shell and control the website