CVE-2023-24269: CVE-Publications/CVE-2023-24269.md at main · s4n-h4xor/CVE-Publications

Affected Product Name and Version: Textpattern v4.8.8****Title: Authenticated Remote Code Execution (RCE) in Plugin Installation on Text pattern 4.8.8

Vulnerability Summary:

A vulnerability has been discovered in the plugin upload section of Text pattern 4.8.8 that allows for authenticated remote code execution (RCE) when uploading a malicious plugin. An attacker must have a valid user account on the affected website in order to exploit this vulnerability. This vulnerability is present in the plugin installation process, where user-supplied input is not properly sanitized and does not have proper security controls in place. This can be exploited by tricking the web server and uploading dangerous file types, leading to RCE.

Impact:

A privileged attacker can use the plugin upload functionality to gain access to the server, allowing them to steal sensitive information and modify content. Additionally, an attacker may use this vulnerability to propagate malware and launch further attacks on the server and other systems on the network, potentially leading to a complete compromise of the affected system and potentially connected networks.

Proof of Concept:

A user creates a zip file with a shell.php file containing the following code:

                          1. Created a zip file containing a shell.php

A user with a valid account logs into the Text pattern website, navigates to the plugin upload section, and uploads a malicious zip file. The user then accesses the file through the path “/textpattern/plugins/shell/shell.php” and can execute arbitrary commands by appending “?cmd=command_here” to the URL.

                          2. Malicious zip file containing the shell.php uploded


                          3. Execute arbitrary commands by accessing the web shell