提出 #849572: AREA 17 Twill CMS 3.6.0 Unrestricted File Upload情報

タイトルAREA 17 Twill CMS 3.6.0 Unrestricted File Upload
説明Twill CMS does not check the type of files uploaded through the File Library. The handler `FileLibraryController::storeFile` takes the filename from the request and keeps its extension intact, and the matching form request `FileRequest` only requires the upload fields to be present without any extension or MIME check. Files are written to the `twill_file_library` disk, which is public and rooted in `storage/app/public/uploads`. That path is exposed through Laravel's `storage:link` symlink, so an uploaded file is reachable at `/storage/uploads/`. A back-office user with the Publisher role can upload a PHP file and call it to run code on the server. The upload response returns the file's URL, so no path guessing is needed. Tested on 3.6.0 with Apache/mod_php. Proof of concept Steps, performed as a Publisher-role user: Prepare a test payload shell.php: <?php echo 'PWNED:'.php_uname().':'.exec($_GET['c'] ?? 'id'); ?> Authenticate to the admin panel and open a content record containing a File field. In the File field, choose Add file, then upload shell.php from the Upload tab. The file is accepted; no type validation error is returned. Determine the stored URL. The application returns it in the upload response: the POST /admin/file-library/files reply contains a JSON media.src value of the form http://<target>/storage/uploads/<dir>/shell.php. The same file also appears in the library with a download link to that location. No path enumeration is required. image.png Request the file with a command parameter: GET http://<target>/storage/uploads/<dir>/shell.php?c=id The response confirms execution as the web server user: PWNED:Linux <host> x86_64:uid=33(www-data) gid=33(www-data) groups=33(www-data) An automated proof of concept, twill-cms-rce.py, is included with this advisory. It authenticates, performs the Laravel CSRF handshake (the XSRF-TOKEN cookie must be returned in the X-XSRF-TOKEN request header; omitting it yields HTTP 419), uploads the payload, and retrieves the execution result. A full request and response transcript is provided in evidence/http_trace.txt. Attempting to write outside the uploads directory by setting unique_folder_name to a traversal sequence (for example ../../public/...) is rejected by the underlying Flysystem library with a PathTraversalDetected error. This does not affect exploitability, as the default uploads directory is already served and executable. Application: https://github.com/area17/twill PoC: https://github.com/bytium/vulnerability-research/blob/main/poc/twill-cms-rce.py Credit: Jobyer Ahmed (Bytium)
ソース⚠️ https://bytium.com/insights/authenticated-arbitrary-file-upload-to-rce-in-twill-cms
ユーザー
 suffer (UID 74855)
送信2026年06月05日 18:52 (1 月 ago)
モデレーション2026年07月12日 13:11 (1 month later)
ステータス承諾済み
VulDBエントリ377847 [AREA 17 Twill CMS 迄 3.6.0 Media Library Insert Page FileLibraryController.php storeFile qqfilename 特権昇格]
ポイント20

Want to stay up to date on a daily basis?

Enable the mail alert feature now!