CMS MADE SIMPLE FORGE

CMS Made Simple Core

 

[#12531] CWE - 434 : Unrestricted Upload of File with Dangerous Type

avatar
Created By: Humberto Junior (halencarjunior)
Date Submitted: Mon Feb 21 16:43:50 -0500 2022

Assigned To: CMS Made Simple Foundation (cmsmsfoundation)
Version: 2.2.16
CMSMS Version: 2.2.16
Severity: Critical
Resolution: None
State: Open
Summary:
CWE - 434 : Unrestricted Upload of File with Dangerous Type
Detailed Description:
I could be able to upload a .phtml file using the admin/File Manager and
exploited a RCE with weevely to have a reverse shell.

The application does not prevents the upload of phtml files, letting server
execute PHP files.


History

Comments
avatar
Date: 2022-02-21 16:48
Posted By: Ruud van der Velden (ruudvdvelden)

Thank you for reporting. 

Please read this:
https://www.cmsmadesimple.org/community/get-involved/report-a-vulnerability
      
avatar
Date: 2022-03-02 20:59
Posted By: tom (tomphantoo)

FWIW, my solution for this sort of thing has been:
1. An extra method FileTypeHelper::is_executable() to report browser-executable
files (.phtml etc)
2. Ignore attempted 'internal' uploading of files which are detected by that
method
3. In case such files get uploaded by another means, add (during CMSMS
installation or upgrade) an execution-blocking .htaccess or web.config into the
uploads folder
      
Updates

Updated: 2022-02-21 16:48
resolution_id: => 5