Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-25790: Bypass File Uploading restrictions leads to Command Execution · Issue #674 · Typesetter/Typesetter

** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior “contradicts our security policy” and is being fixed for 5.2.

CVE
#web#mac#php#rce#auth

Hello all, I was testing the upload mechanism, and I found that it is possible to bypass the protection for .php files by placing the .php inside a .zip file and extracting it. Once this is done, it is possible to execute commands on the machine using a malicious php file (webshell). Okay, that and the viability decreased a little because it is an admin functionality, however, if it is not allowed to upload a .php file, then placing the same file inside a .zip and extracting and executing it should also not be allowed .

  • Steps to reproduce
    1- As admin go to Content menu and click on Uploaded files
    2- Inside the try to upload a .php file, and
    3- try to upload a .php file directly, check that it is not possible.
    4- Take the same .php file and place it in a .zip and upload it.
    5- Extract through functionality and open the .php file
    Obs: A strange behavior was that, after extracting the PHP file in functionality, it is seen as HTML.

  • PoC
    ==> Executing Commands

==> Try to upload a .php direct

t0gu changed the title Bypass File upload leads to Command execution Bypass File Uploading restrictions leads to Command Execution

Sep 18, 2020

I can’t extract php from zip. How do you do this?

Copy link

Author

****t0gu** commented Sep 18, 2020**

sorry if i explained it wrong. I made a gif. step by step.

Oh, I see. Which version are you using? This is definitely not the current master from here.

Copy link

Author

****t0gu** commented Sep 18, 2020**

@mahotilo 5.1 like the image bellow

i got from latest releases. Theres another version ? more recent ? one more time sorry about my explanation :(

If you are trying to make an issue, please consider using the latest version.

EDIT
Hint

Copy link

Author

****t0gu** commented Sep 18, 2020**

i’ll testing on that version too =). One question, this issue was reported before ? at the version 5.1 ?

As far as I remember, this was known to the developers.

Copy link

Member

****juek** commented Sep 18, 2020 •**

I can confirm it works in Versions 5 - 5.1.
It didn’t work in 4.x versions.

@t0gu

i’ll testing on that version too =)

If you still manage to get it working with current master (5.2-rc) please report.
It shouldn’t be possible unless you change related settings in /gpconfig.php

One question, this issue was reported before?

It was not reported but there were rumors about sth. like that. Allegedly it is part of an exploit suite that can be bought. However, rather dubious sources IMO.

While this is an 'authenticated RCE’, which clearly contradicts our security policy, Typesetter is not a community platform and there is no way to register user accounts yourself, which could do such things. So, Typesetter admins are considered trustworthy.

Nevertheless it is something that must not happen and Typesetter 5.2 will prevent it AFAIK.

Copy link

Author

****t0gu** commented Sep 18, 2020**

@juek thanks to confirm =) i’m testing on version 5.2 and was fixed.

I just tested on 5.2 as well and could not extract the php file.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907