CMS Made Simple Core


[#11741] Authenticated Remote Code Execution by copying files

Created By: Mustafa Hasan (strukt)
Date Submitted: Sat Feb 17 21:48:43 -0500 2018

Assigned To:
Version: None
CMSMS Version: 2.2.5
Severity: None
Resolution: Won't Fix
State: Closed
Authenticated Remote Code Execution by copying files
Detailed Description:

When a file is copied on the server via the file manager, the admin has to
specify the name and extension of the destination file. The issue is that
there's no proper validation on the file extension, allowing for copying the
information of say a .txt file into that of a .php extension, which leads to
code execution on the server.

Steps to reproduce:

1- With an administrator account navigate to the File Manager and upload a .txt
file that contains the following content:

<?php echo system("whoami");?>

2- Copy the file to another named rce.php and when the redirect to the main File
Manager page occurs, click on the newly created file's name

3- Notice that a php will be opened with the path /uploads/rce.php, and the user
who started the web server instance is shown in the page as a PoC.



Date: 2018-02-18 11:40
Posted By: Matt Hornsby (DIGI3) (DIGI3)

File system access should only be given to trusted admins. We can't micromanage
every possible file type for all operating systems, so this is best handled
through server management policies and group permissions.

In the sample htaccess shipped with CMSMS, php execution is prevented from
within the Uploads directory. This is a starting point you can use to manage
your own security. If you really think your trusted admins may hack your site,
it may be better to more tightly restrict their access to the backend.
Date: 2018-02-19 03:31
Posted By: Mustafa Hasan (strukt)

I'd say that its still a risk that should be mitigated against since this gives
an advantage to any attacker that is able to compromise an admin's profile.
However, if you are still at the same point of view, do you mind sharing this
publicly ?
Date: 2018-02-19 14:52
Posted By: Matt Hornsby (DIGI3) (DIGI3)

This public forum post from our lead developer sums it up well. It's addressing
javascript, but the same theory applies:

Updated: 2018-03-10 09:47
state: Open => Closed

Updated: 2018-02-18 11:40
resolution_id: => 8