Headline
CVE-2020-25790: Bypass File Uploading restrictions leads to Command Execution · Issue #674 · Typesetter/Typesetter
** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior “contradicts our security policy” and is being fixed for 5.2.
Hello all, I was testing the upload mechanism, and I found that it is possible to bypass the protection for .php files by placing the .php inside a .zip file and extracting it. Once this is done, it is possible to execute commands on the machine using a malicious php file (webshell). Okay, that and the viability decreased a little because it is an admin functionality, however, if it is not allowed to upload a .php file, then placing the same file inside a .zip and extracting and executing it should also not be allowed .
Steps to reproduce
1- As admin go to Content menu and click on Uploaded files
2- Inside the try to upload a .php file, and
3- try to upload a .php file directly, check that it is not possible.
4- Take the same .php file and place it in a .zip and upload it.
5- Extract through functionality and open the .php file
Obs: A strange behavior was that, after extracting the PHP file in functionality, it is seen as HTML.PoC
==> Executing Commands
==> Try to upload a .php direct
t0gu changed the title Bypass File upload leads to Command execution Bypass File Uploading restrictions leads to Command Execution
Sep 18, 2020
I can’t extract php from zip. How do you do this?
Copy link
Author
****t0gu** commented Sep 18, 2020**
sorry if i explained it wrong. I made a gif. step by step.
Oh, I see. Which version are you using? This is definitely not the current master from here.
Copy link
Author
****t0gu** commented Sep 18, 2020**
@mahotilo 5.1 like the image bellow
i got from latest releases. Theres another version ? more recent ? one more time sorry about my explanation :(
If you are trying to make an issue, please consider using the latest version.
EDIT
Hint
Copy link
Author
****t0gu** commented Sep 18, 2020**
i’ll testing on that version too =). One question, this issue was reported before ? at the version 5.1 ?
As far as I remember, this was known to the developers.
Copy link
Member
****juek** commented Sep 18, 2020 •**
I can confirm it works in Versions 5 - 5.1.
It didn’t work in 4.x versions.
@t0gu
i’ll testing on that version too =)
If you still manage to get it working with current master (5.2-rc) please report.
It shouldn’t be possible unless you change related settings in /gpconfig.php
One question, this issue was reported before?
It was not reported but there were rumors about sth. like that. Allegedly it is part of an exploit suite that can be bought. However, rather dubious sources IMO.
While this is an 'authenticated RCE’, which clearly contradicts our security policy, Typesetter is not a community platform and there is no way to register user accounts yourself, which could do such things. So, Typesetter admins are considered trustworthy.
Nevertheless it is something that must not happen and Typesetter 5.2 will prevent it AFAIK.
Copy link
Author
****t0gu** commented Sep 18, 2020**
@juek thanks to confirm =) i’m testing on version 5.2 and was fixed.
I just tested on 5.2 as well and could not extract the php file.