BSteelooper
commented
3 years ago Thank you for your find. The files upload exists to have users add all types of files to their website for download. Whitelisting is difficult since I don't know what they want to upload. this is why we took the blacklist route.
I am playing with the idea to have a minimal whitelist which the user can extent from the gut, but this makes it again possible to upload files with an executable context.
I added the php_flag. I was not aware of this option thank you.
On a side note, since the password needs to be known to exploit this, it is a deliberate upload, and this is not to be stopped, since there are always ways to achieve this.
loopspell
attritionorg
Vulnerability Description
I have observed that it is possible to upload php file on the system through
manage filesfunctionality which leads to compromise the system. As I'm able to upload malicious php file with.pharextension, and able to execute php code on the server.Observation
On line 44-45 of
files.php, I observed that the application uses blacklist extensions to restrict the php malicious file which can be easily bypassed with.pharextension.Steps to Reproduce
1) Login into the application's admin panel. 2) Navigate to the
http://<server>/admin.php?action=files. 3) Now upload the php file with.pharextension, for e.g.info.phar.4) After uploading the php file, navigate to the
http://<server>/files/info.phar.Mitigation
.htaccessshould be applied as shown below for preventing the php file execution in upload directory.Reference
https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload https://www.php.net/manual/en/apache.configuration.php
Tested Version: 4.7.13
Vulnerable Version <= 4.7.13
Note: This is bypass of previous discovered File Upload vulnerability.