Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unrestricted File Upload Reported #276

Closed
math1as opened this issue Apr 7, 2017 · 4 comments
Closed

Unrestricted File Upload Reported #276

math1as opened this issue Apr 7, 2017 · 4 comments
Milestone

Comments

@math1as
Copy link

math1as commented Apr 7, 2017

#' Exploit Title: Unrestricted File Upload
#' Vulnerability Type: Accessing, Modifying or Executing Executable Files (CAPEC-17)
#' Reporting Date: 07-04-2017
#' Author: @math1as
#' Vendor Homepage: https://www.bigtreecms.org/
#' Software Link: https://github.com/bigtreecms
#' Version: v.4.2.16

I. Abstract

BigTree CMS is publicly licensed under the GNU Lesser General Public License
It is an open source content management system built on PHP and MySQL

II. Introduction

2.1 Accessing, Modifying or Executing Executable Files

An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.

2.2 vulnerability analysis for bigtree cms
At the file
/core/inc/bigtree/apis/storage.php
line 11
The code of Regular expression shows that i could be bypassed by upload a file
Name ‘xxx.php[space]’
var $DisabledExtensionRegEx = '/\.(exe|com|bat|php|rb|py|cgi|pl|sh|asp|aspx)$/i';
Then the attacker could get a webshell by using this method

III. References

3.1. CAPEC-17 https://capec.mitre.org/data/definitions/17.html
3.2. https://www.owasp.org/index.php/Unrestricted_File_Upload

timbuckingham added a commit that referenced this issue Apr 7, 2017
… to be uploaded.

Thank you to math1as from l-team for the disclosure and fix.

#276
@timbuckingham timbuckingham added this to the 4.2.17 milestone Apr 7, 2017
@timbuckingham
Copy link
Collaborator

Thanks math1as! This will be in the 4.2.17 release today.

@jzySaber1996
Copy link

Hello, we're investigating the issue reports in security. Since we observed that this issue may relate to security, has it been disclosed in CVE already? Thanks for your reply.

@timbuckingham
Copy link
Collaborator

This is a 7 year old bug, if you're chasing CVE clout this is not your way to do it.

@jzySaber1996
Copy link

We are so sorry for not explaining it well. In fact, we’ve investigated the old security issues that have not been found in CVE, so it is a human evaluation.
Since our automatic tool has observed that this issue may relate to a potential vulnerability, we want to make sure whether it is really a security bug, and have been disclosed somewhere…
Thank you again for the reply, best wishes!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants