4632: Image Filter Bypass Leads Remote Code Execution [Mass-add to gallery]

ID	Project	Category	View Status	Date Submitted	Last Update

4632	Composr	core	private	2021-03-31 07:28	2021-04-02 17:32

Reporter	Guest	Assigned To	Chris Graham
Priority	normal	Severity	Security-hole
Status	resolved	Resolution	fixed
Product Version	10.0.36
Fixed in Version	10.0.37

Summary	4632: Image Filter Bypass Leads Remote Code Execution [Mass-add to gallery]
Description	We have a galleries security issues which allows us to upload a PHP file. Whenever we upload a image from galleries, Composr allows us to upload only images. If we tried to upload a PHP file from galleries uploader it will say someone attempting hacking activities. But we have a security issue on Upload In Bulk section. Whenever we check allowed extension in Upload in bulk function we can see PHP is completely prohibited. But whenever we tamper the request and change the extension we can see it will upload the PHP file without other or server side verification.
Steps To Reproduce	For getting the exploit done, we have to follow the steps below. 1. Go to upload galleries. 2. Upload a image and tamper the request and change the extension from .jpg to .php 3. It will say hacking attempts, check the allowed extension and you can see it's not accepting PHP extension. 4. Now go to upload in bulk option. 5. Upload a image with PHP codes and tamper the request. 6. Change extension from .jpg to .php 7. It will get uploaded with the blocked PHP extension. NOTE: You can get your shell in [/uploads/galleries/shell.php]
Tags	Type: Security
Attach Tags	(Separate by ",")
Attached Files	RCE 0day.mp4 (6,939,852 bytes) RCE 0day.mp4 (6,939,852 bytes) Allowed Extension.JPG (41,609 bytes) Allowed Extension.JPG (41,609 bytes)

Time estimation (hours)
Sponsorship open

Date Added	Member	Amount Sponsored

Chris Graham 2021-04-01 02:40 administrator ~7040	Issue confirmed. Requires mass import privilege, which is denied by default. But likely to be assigned to users on some sites. Requires 'Allow audio as videos' option to be enabled, and it is by default. The problem is that basically anything will pass the is_video function, and mass imports are not following upload file type restrictions.

Chris Graham 2021-04-01 03:23 administrator ~7041	Issue also only occurs if either: - .htaccess is disabled - not running Apache - PHP8 is running as an Apache module (due to our extra layer of security via uploads/galleries/.htaccess - but also that not having been updated for PHP8)

Guest 2021-04-01 06:48 reporter ~7043	We've ran it on multiple platform like localhost, our own live lab. It's appear vulnerable all times. And a trusted software can't relay on other system to be protected. So putting a fix on that is the right choice. Waiting for resolution. Thank You.

Chris Graham 2021-04-01 20:01 administrator ~7047	In my testing, the .htaccess blocks PHP requests for Apache+modPHP (with the exception of PHP 8) and Apache+CGI. It might be all your machines are on PHP 8, or htaccess is not enabled (it's not by default on some Apache installs), or htaccess file was deleted, or Apache not being used, or some other configuration I don't know. I'm not saying this isn't a serious bug, I am just trying to make sure our secondary defenses are as good as possible and establishing why they failed. The PHP 8 issue will be resolved, and also a FilesMatch rule to block .php requests will also be added. The core bug will be fixed, along with a reevaluation of how our file type blacklisting works; particularly I want to make sure files like 'example.php.foo' don't slip through either (this isn't a vulnerability if following the PHP's official setup instructions, but could easily be done as a configuration mistake).

Guest 2021-04-01 21:58 reporter ~7048	Trusted software's are reliably used. We can't let a piece of vulnerable occur here. In our test scenario we didn't deleted the .htaccess file. We simply installed the software and that appear to be vulnerable. From our perspective, you should block any files rather than images. Thank You.

Guest 2021-04-01 22:02 reporter ~7050	Waiting for the fix.

admin 2021-04-02 02:32 administrator ~7055	Automated response: Upload and execution of PHP files Mass upload of media to a gallery allows .php files to slip through, and then they may be executed via URL.

admin 2021-04-02 02:32 administrator ~7056	Fixed in git commit a71c44e03 (https://gitlab.com/composr-foundation/composr/commit/a71c44e03 - link will become active once code pushed to GitLab)

Guest 2021-04-02 10:29 reporter ~7057	We're going to request a CVE for that. Let us know when you guys are prepare. Thank You.

Guest 2021-04-02 17:32 reporter ~7061	A Certificate Of Appreciation Will Be A Great motivation. Author: Orion Hridoy Company: BugsBD Private LTD.

Date Modified	Username	Field
2021-03-31 07:28	Guest	New Issue
2021-03-31 07:28	Guest	File Added: RCE 0day.mp4
2021-03-31 07:28	Guest	File Added: Allowed Extension.JPG
2021-03-31 07:34	Guest	Tag Attached: Type: Security
2021-04-01 02:40	Chris Graham	Note Added: 0007040
2021-04-01 03:23	Chris Graham	Note Added: 0007041
2021-04-01 06:48	Guest	Note Added: 0007043
2021-04-01 20:01	Chris Graham	Note Added: 0007047
2021-04-01 21:58	Guest	Note Added: 0007048
2021-04-01 22:02	Guest	Note Added: 0007050
2021-04-02 10:29	Guest	Note Added: 0007057
2021-04-02 17:32	Guest	Note Added: 0007061

View Issue Details

Sponsor

Activities

Issue History