Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-44276: GitHub - HerrLeStrate/CVE-2022-44276-PoC: PoC for Responsive Filemanager < 9.12.0 bypass upload restrictions lead to RCE

In Responsive Filemanager < 9.12.0, an attacker can bypass upload restrictions resulting in RCE.

CVE
Open in Source
#git#php#rce

CVE-2022-44276-PoC

PoC for Responsive Filemanager < 9.12.0 bypass upload restrictions lead to RCE

Where’s vuln?

When uploading new file we go through function fix_filename: https://github.com/trippo/ResponsiveFilemanager/blob/9a7411f3eab3b7d8e2c78dcf40b4325bde2c548d/filemanager/upload.php#L112

In this function we have function strip_tags which searches brackets and removes them: https://github.com/trippo/ResponsiveFilemanager/blob/9a7411f3eab3b7d8e2c78dcf40b4325bde2c548d/filemanager/include/utils.php#L581

So, we can send file with filename lick shell.php<.txt, which will be renamed to shell.php due to function strip_tags.

But, there’s additional check of file type by it’s content: https://github.com/trippo/ResponsiveFilemanager/blob/9a7411f3eab3b7d8e2c78dcf40b4325bde2c548d/filemanager/upload.php#L101

So, we cannot upload classic php shell <?php system($_GET[‘c’]);?>. But, we can do a little trick: function get_extension_from_mime works based on first several chars of file. So, if we start our payload with several ‘a’ chars, it can be detected with txt type.

How to exploit

  1. Intercept upload request with burp suite
  2. Change filename to shell.php<.txt
  3. go to url/source/shell.php?c=<your_command>

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE