Issue confirmed.
Requires mass import privilege, which is denied by default. But likely to be assigned to users on some sites.
Requires 'Allow audio as videos' option to be enabled, and it is by default.
The problem is that basically anything will pass the is_video function, and mass imports are not following upload file type restrictions.
Issue also only occurs if either:
- .htaccess is disabled
- not running Apache
- PHP8 is running as an Apache module
(due to our extra layer of security via uploads/galleries/.htaccess - but also that not having been updated for PHP8)
By Guest,
By Guest,
posted
We've ran it on multiple platform like localhost, our own live lab. It's appear vulnerable all times. And a trusted software can't relay on other system to be protected. So putting a fix on that is the right choice. Waiting for resolution.
Thank You.
In my testing, the .htaccess blocks PHP requests for Apache+modPHP (with the exception of PHP 8) and Apache+CGI.
It might be all your machines are on PHP 8, or htaccess is not enabled (it's not by default on some Apache installs), or htaccess file was deleted, or Apache not being used, or some other configuration I don't know.
I'm not saying this isn't a serious bug, I am just trying to make sure our secondary defenses are as good as possible and establishing why they failed. The PHP 8 issue will be resolved, and also a FilesMatch rule to block .php requests will also be added. The core bug will be fixed, along with a reevaluation of how our file type blacklisting works; particularly I want to make sure files like 'example.php.foo' don't slip through either (this isn't a vulnerability if following the PHP's official setup instructions, but could easily be done as a configuration mistake).
By Guest,
By Guest,
posted
Trusted software's are reliably used. We can't let a piece of vulnerable occur here. In our test scenario we didn't deleted the .htaccess file. We simply installed the software and that appear to be vulnerable. From our perspective, you should block any files rather than images.
Thank You.
(Click to enlarge)
#4632 - Image Filter Bypass Leads Remote Code Execution [Mass-add to gallery]
Requires mass import privilege, which is denied by default. But likely to be assigned to users on some sites.
Requires 'Allow audio as videos' option to be enabled, and it is by default.
The problem is that basically anything will pass the is_video function, and mass imports are not following upload file type restrictions.
- .htaccess is disabled
- not running Apache
- PHP8 is running as an Apache module
(due to our extra layer of security via uploads/galleries/.htaccess - but also that not having been updated for PHP8)
Thank You.
It might be all your machines are on PHP 8, or htaccess is not enabled (it's not by default on some Apache installs), or htaccess file was deleted, or Apache not being used, or some other configuration I don't know.
I'm not saying this isn't a serious bug, I am just trying to make sure our secondary defenses are as good as possible and establishing why they failed. The PHP 8 issue will be resolved, and also a FilesMatch rule to block .php requests will also be added. The core bug will be fixed, along with a reevaluation of how our file type blacklisting works; particularly I want to make sure files like 'example.php.foo' don't slip through either (this isn't a vulnerability if following the PHP's official setup instructions, but could easily be done as a configuration mistake).
Thank You.
Mass upload of media to a gallery allows .php files to slip through, and then they may be executed via URL.
Thank You.
Author: Orion Hridoy
Company: BugsBD Private LTD.