Headline
CVE-2019-16113: Bludit v3.9.2 Code Execution Vulnerability in "Upload function" · Issue #1081 · bludit/bludit
Bludit 3.9.2 allows remote code execution via bl-kernel/ajax/upload-images.php because PHP code can be entered with a .jpg file name, and then this PHP code can write other PHP code to a …/ pathname.
A Code Execution Vulnerability in Bludit v3.9.2
Hi,
For CVE ID,so I open a new issue,sorry about that.And I think you haven’t completely fixed the bug.
There is a new Code Execution Vulnerability which allow to get server permissions,the path is /bl-kernel/admin/ajax/upload-images.php
1, login with any account which allows you to edit conten
2.upload the evil jpg
We can specify the location of the uploaded file by changing the value of the uuid,then upload the evil picture to tmp folder
3.upload both the.htaccess file and the access target jpg
Successfully reverted to the target file
4. Access the evil file that are written through jpg
So I recommend checking the file before uploading it to temporary directory