Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-10963: CVE-2020-10963 – Unrestricted File Upload in FrozenNode/Laravel-Administrator

FrozenNode Laravel-Administrator through 5.0.12 allows unrestricted file upload (and consequently Remote Code Execution) via admin/tips_image/image/file_upload image upload with PHP content within a GIF image that has the .php extension. NOTE: this product is discontinued.

CVE
#git#php#rce

Hi all,

This time, we want to show you how we achieved unrestricted file upload in the Laravel-Administrator package of FrozenNode. This open source software, is an administrative interface builder for Laravel.

https://github.com/FrozenNode/Laravel-Administrator

As Laravel-Administrator allows you to create your own modules, we enabled the file upload in one of them:

If we try to upload a php file, it raises an error regarding wrong file extension

This protection can be easily bypassed following the steps below:

  • Uploading an allowed file
  • Capture the request with BurpSuite (or any other proxy)
  • Replace filename extension by .php
  • Add a GIF Image header in order to bypass file content filters
  • Write the PHP code that you want to execute in the server

At this point, we have been able to upload our payload into the server and, in addition, the server provided us the path of the uploaded file.

You will have noticed that the filename has been replaced by a random string but, as far as it is giving us the name, is easy to find.

At this point, we have remote code execution in the server.

As this project is officially abandoned and its fork (Laravel-Admin) seems to have stopped the development since Laravel 5.8, we encourage the users to migrate to other supported platforms.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907