Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-34738: Arbitrary file upload vulnerability in Chemex 3.7.1 · Issue #64 · celaraze/chemex

Chemex through 3.7.1 is vulnerable to arbitrary file upload.

CVE
#vulnerability#web#js#php

1. Synopsis

Chemex is vulnerable to arbitrary file upload vulnerability, which can lead to code execution.

This vulnerability exists in Chemex’s latest verion 3.7.1 and all versions below. The upload/import function implements filter only in frontend, there is no filter in the backend code. Attackers can easily bypass it with tools like Burpsuite.

2. Analysis

The vulnerable endpoints is listed below:
/dcat-api/form/upload (/organization/users)
/device/records
/device/categories
/vendor/records

We are going to analysis endpoint /organization/users.

The corresponding code is in: chemex-main/app/Admin/Forms/UserImportForm.php function form

It applies filter to only accept xlsx and csv file, but only in the frontend

The backend code to upload function is in: chemex-main/vendor/dcat/laravel-admin/src/Form/Field/UploadField.php function upload

Read the code carefully, you will find there is no filter at all.

3. Exploit

You can use the following syntax to search vulnerable target in internet with Hunter (https://hunter.qianxin.com/) : web.body="让IT资产管理更加简单"&&web.body="dcat-admin/dcat/plugins/vendors.min.js"

You can login with default cred admin : admin, or some simple passwords.

The following targets has been tested by me:

https://gz.yunxiaoseo.com/  admin : 123456
http://42.192.138.41:8005/  admin : admin
https://jixiadmin.qiyekj.cn/    admin : admin
http://121.28.101.42:81/    admin : admin
http://81.70.56.151/        admin : admin

The target we are going to test is http://81.70.56.151/, it’s the latest version I found so far (the latest is 3.7.1).

Click “组织” button or go to this url directly: /organization/users, then click the green “导入人员信息模板” button.

It will pop up a window to let you select a file to upload. Drag or select a xlsx file to upload, then intercept it with burp.

In burp, send the request to repeater, then modify the filename parameter to a php file, fill in some simple code to execute cmd.

The uploaded path will be echoed in the response, access it in your web browser.

Finally, you gain code execution.

The video of demonstration of latest version can be found in: https://mega.nz/file/dUlAyY7J#5ceaOxDibsRaqSC8VEqB6IZCWdiFCU1-WhfbLB72la0

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905