| Titel | RapidCMS has an arbitrary file upload vulnerability |
|---|
| Beschreibung | [Suggested description]
An arbitrary file upload vulnerability in /admin/config/uploadicon.php which allows attackers to getshell
RapidCMS Dev.1.3.1 was discovered to contain an arbitrary file upload vulnerability in /admin/config/uploadicon.php which leads to getshell
[Vulnerability Type]
arbitrary file upload
[Vendor of Product]
https://github.com/OpenRapid/rapidcms
[Affected Product Code Base]
RapidCMS Dev.1.3.1
[Affected Component]
/admin/config/uploadicon.php
affected function: isImg()
function isImg($fileName)
{
$file = fopen($fileName, "rb");
$bin = fread($file, 2); // 只读2字节
fclose($file);
$strInfo = @unpack("C2chars", $bin);
$typeCode = intval($strInfo['chars1'] . $strInfo['chars2']);
$fileType = '';
if ($typeCode == 255216 /*jpg*/ || $typeCode == 7173 /*gif*/ || $typeCode == 13780 /*png*/) {
return $typeCode;
} else {
// echo '"仅允许上传jpg/jpeg/gif/png格式的图片!';
return false;
}
}
[Attack Type]
Remote
[Impact]
Code Execution |
|---|
| Quelle | ⚠️ https://github.com/yhy217/rapidcms-vul/issues/5 |
|---|
| Benutzer | jamspilly (UID 54414) |
|---|
| Einreichung | 19.09.2023 02:51 (vor 3 Jahren) |
|---|
| Moderieren | 29.09.2023 07:22 (10 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 240871 [OpenRapid RapidCMS 1.3.1 uploadicon.php isImg fileName erweiterte Rechte] |
|---|
| Punkte | 20 |
|---|