CMS MADE SIMPLE FORGE

CMS Made Simple Core

Back to List

[#12531] CWE - 434 : Unrestricted Upload of File with Dangerous Type

Created By: Humberto Junior (halencarjunior)

Date Submitted: Mon Feb 21 16:43:50 -0500 2022

Assigned To: CMS Made Simple Foundation (cmsmsfoundation)

Version: 2.2.16

CMSMS Version: 2.2.16

Severity: Critical

Resolution: None

State: Open

Summary:

CWE - 434 : Unrestricted Upload of File with Dangerous Type

Detailed Description:

I could be able to upload a .phtml file using the admin/File Manager and
exploited a RCE with weevely to have a reverse shell.

The application does not prevents the upload of phtml files, letting server
execute PHP files.

History

Date: 2022-02-21 16:48
Posted By: Ruud van der Velden (ruudvdvelden)

Thank you for reporting. 

Please read this:
https://www.cmsmadesimple.org/community/get-involved/report-a-vulnerability

Date: 2022-03-02 20:59
Posted By: tom (tomphantoo)

FWIW, my solution for this sort of thing has been:
1. An extra method FileTypeHelper::is_executable() to report browser-executable
files (.phtml etc)
2. Ignore attempted 'internal' uploading of files which are detected by that
method
3. In case such files get uploaded by another means, add (during CMSMS
installation or upgrade) an execution-blocking .htaccess or web.config into the
uploads folder

Updated: 2022-02-21 16:48
resolution_id: => 5

CMSMS | CMS Made Simple

CMS MADE SIMPLE FORGE

CMS Made Simple Core

[#12531] CWE - 434 : Unrestricted Upload of File with Dangerous Type

History