Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-2419: About a file upload vulnerability · Issue #77 · crmeb/CRMEB

A vulnerability was found in Zhong Bang CRMEB 4.6.0. It has been declared as critical. This vulnerability affects the function videoUpload of the file \crmeb\app\services\system\attachment\SystemAttachmentServices.php. The manipulation of the argument filename leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-227716.

CVE
#vulnerability#php

CRMEB vulnerability report.docx

The defect code is in the $filename variable in the videoUpload function in the \crmeb\app\services\system\attachment\SystemAttachmentServices.php file, that is, $filename = $all_dir . ‘/’ . $data[‘filename’] . '__ ' . $data[‘chunkNumber’];, it splices $data[‘chunkNumber’] at the end, which is a controllable parameter transfer on the client side, so that the value of $data[‘chunkNumber’] can be modified to The suffix is ​​php, which causes the written malicious code to be parsed and executed.

public function videoUpload($data, $file)
{
$public_dir = app()->getRootPath() . 'public’;
$dir = ‘/uploads/attach/’ . date(‘Y’) . DIRECTORY_SEPARATOR . date(‘m’) . DIRECTORY_SEPARATOR . date(‘d’);
$all_dir = $public_dir . $dir;
if (!is_dir($all_dir)) mkdir($all_dir, 0777, true);
$filename = $all_dir . ‘/’ . $data[‘filename’] . '' . $data[‘chunkNumber’];
move_uploaded_file($file[‘tmp_name’], $filename);
$res[‘code’] = 0;
$res[‘msg’] = 'error’;
$res[‘file_path’] = '’;
if ($data[‘chunkNumber’] == $data[‘totalChunks’]) {
$blob = '’;
for ($i = 1; $i <= $data[‘totalChunks’]; $i++) {
$blob .= file_get_contents($all_dir . ‘/’ . $data[‘filename’] . '
' . $i);
}
file_put_contents($all_dir . ‘/’ . $data[‘filename’], $blob);
for ($i = 1; $i <= $data[‘totalChunks’]; $i++) {
@Unlink($all_dir . ‘/’ . $data[‘filename’] . '' . $i);
}
if (file_exists($all_dir . ‘/’ . $data[‘filename’])) {
$res[‘code’] = 2;
$res[‘msg’] = 'success’;
$res[‘file_path’] = sys_config(‘site_url’) . $dir . ‘/’ . $data[‘filename’];
}
} else {
if (file_exists($all_dir . ‘/’ . $data[‘filename’] . '
' . $data[‘chunkNumber’])) {
$res[‘code’] = 1;
$res[‘msg’] = 'waiting’;
$res[‘file_path’] = '’;
}
}
return $res;
}
}

Vulnerability Exploitation Steps:

  1. Log in to the background

  2. Select commodity, then select commodity Management, and click Add commodity.

3、 Select any commodity category, enter any commodity name, and enter any commodity unit

4、Open the add video button

  1. Use any packet capture tool to open the interception package. I am using BurpSuite here. (As shown below)

6、 Click the plus sign and select the test video you prepared (recommended video length is less than 10 seconds)

7、The package is successfully truncated (as shown in the figure below)

8.、Select the all uploaded video data and delete it. (As shown below)

9、After the deletion is complete, write the malicious code on it

10、Replace the content below the chunkNumber pass parameter with 1.php

11、Click forward Package

Malicious file has been successfully uploaded, how to access it?

An example is as follows:
http://your domain name/uploads/attach/year when you uploaded/month when you uploaded/day when you uploaded/file name__ (note the double underscore here) 1.php

(This is because the program will create some file directories named after your upload time)

So My current time is April 13, 2023, so my access example is as follows:
http://192.168.101.100/uploads/attach/2023/04/13/68CECACC23AB0161625A5BFFE46C3E7A.mp4__1.php

Access the malicious code file just uploaded and execute it successfully

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda