Headline

CVE-2022-23043: Zenario CMS 9.2 - Insecure file upload (RCE) | Fluid Attacks

Zenario CMS 9.2 allows an authenticated admin user to bypass the file upload restriction by creating a new ‘File/MIME Types’ using the ‘.phar’ extension. Then an attacker can upload a malicious file, intercept the request and change the extension to ‘.phar’ in order to run commands on the server.

2 years ago

CVE

Open in Source

#sql #vulnerability #web #linux #apache #git

Summary

Name

Zenario CMS 9.2 - Insecure file upload (RCE)

Code name

Simone

Product

Zenario CMS

Affected versions

9.2

Fixed versions

9.2.55826

State

Public

Release date

2022-02-18

Vulnerability

Kind

Insecure file upload (RCE)

Rule

027. Insecure file upload

Remote

Yes

CVSSv3 Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVSSv3 Base Score

9.1

Exploit available

CVE ID(s)

CVE-2022-23043

Description

Zenario CMS 9.2 allows an authenticated admin user to bypass the file upload restriction by creating a new File/MIME Types using the .phar extension. Then an attacker can upload a malicious file, intercept the request and change the extension to .phar in order to run commands on the server.

Proof of Concept

Steps to reproduce

Once login as admin click on 'Go to Organizer’> 'Configuration’.
Select ‘File/MIME Types’ in the ‘Configuration’ menu.
Click on 'Create’.
Create a new custom file type using ‘phar’ as extension and ‘text/plain’ as MIME Type and then click on 'Save’.

The server validates some malicious extensions but still there are some valid executable extensions. For example ‘phar’ and 'shtml’.
Create a ‘.phar’ file with the following content.
```
<?php echo system($_GET['cmd']); ?>
```
On the admin menu, click on ‘Documents’
Click on ‘Upload documents’
Click on ‘Upload…’ and browse the created file.
Select ‘Public’ and click on 'Save’.
Select the file and click on ‘Actions’ > ‘View public link’ in order to get the file location.
Go to the url in the browser.