michu2k
commented
2 years ago Hello
First of all, thanks for the report. I'm in the process of fixing some xss injection bugs in the admin panel, so most modules (except settings) will be a little more protected. Why except the settings module? Injecting PHP code into the footer and title can be helpful in handling non-standard stuff so fields in this module won't be changed. Additionally, only the main administrator should have access to the settings module, and other people should not have access to it!
Hello there, I hope you are doing great, I recently read a article from a person who reported you Authenticated RCE but you didn't responded them so he publicly disclosed and released a CVE of that vulnerability, After that seeing that issue, I thought I should try to find vulnerabilities if I can, So I have found another way of executing php codes as an authenticated user,
Steps to reproduce
I am assuming that you are trying this in the /admin/settings/general page in the name input field. After doing this you can check the website title, it will be changed to the output from the whoami command.
Payload breakdown
As I am using the payload, I should probably explain you why am I using this payload and how is it working
What's the security impact for this issue and how can it be escalated further?
For explaining this clearly lets assume this attacker scenario. I am admin of a website which is hosted on batflat cms, and I can't handle all website work so I hired a person and made him my website's admin for moderating my website, now he is a admin, he can now edit title and other input boxes of the websites, Now what can he do is he can just edit the title can change it to a reverse shell, and then he will get the shell access of the server because the code will be executed on the server side.
Kindly fix this issue and make your cms more secure.
Best regards, @HACKE-RC