Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-f3cx-396f-7jqp: Livewire Remote Code Execution on File Uploads

In livewire/livewire < v3.5.2, the file extension of an uploaded file is guessed based on the MIME type. As a result, the actual file extension from the file name is not validated. An attacker can therefore bypass the validation by uploading a file with a valid MIME type (e.g., image/png) and a “.php” file extension. If the following criteria are met, the attacker can carry out an RCE attack:

  • Filename is composed of the original file name using $file->getClientOriginalName()
  • Files stored directly on your server in a public storage disk
  • Webserver is configured to execute “.php” files

PoC

In the following scenario, an attacker could upload a file called shell.php with an image/png MIME type and execute it on the remote server.

class SomeComponent extends Component
{
    use WithFileUploads;

    #[Validate('image|extensions:png')]
    public $file;

    public function save()
    {
        $this->validate();

        $this->file->storeAs(
            path: 'images',
            name: $this->file->getClientOriginalName(),
            options: ['disk' => 'public'],
        );
    }
}
ghsa
#web#git#php#rce
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2024-47823

Livewire Remote Code Execution on File Uploads

High severity GitHub Reviewed Published Oct 8, 2024 in livewire/livewire • Updated Oct 8, 2024

Package

composer livewire/livewire (Composer)

Affected versions

< 3.5.2

In livewire/livewire < v3.5.2, the file extension of an uploaded file is guessed based on the MIME type. As a result, the actual file extension from the file name is not validated. An attacker can therefore bypass the validation by uploading a file with a valid MIME type (e.g., image/png) and a “.php” file extension.
If the following criteria are met, the attacker can carry out an RCE attack:

  • Filename is composed of the original file name using $file->getClientOriginalName()
  • Files stored directly on your server in a public storage disk
  • Webserver is configured to execute “.php” files

PoC

In the following scenario, an attacker could upload a file called shell.php with an image/png MIME type and execute it on the remote server.

class SomeComponent extends Component { use WithFileUploads;

#\[Validate('image|extensions:png')\]
public $file;

public function save()
{
    $this\->validate();

    $this\->file\->storeAs(
        path: 'images',
        name: $this\->file\->getClientOriginalName(),
        options: \['disk' => 'public'\],
    );
}

}

References

  • GHSA-f3cx-396f-7jqp
  • https://nvd.nist.gov/vuln/detail/CVE-2024-47823
  • livewire/livewire@70503b7

Published to the GitHub Advisory Database

Oct 8, 2024

ghsa: Latest News

GHSA-vm62-9jw3-c8w3: Gogs has an argument Injection in the built-in SSH server