ghsa-pwh2-fpfr-x5gf
Vulnerability from github
Published
2024-03-25 19:46
Modified
2024-03-25 22:28
Severity ?
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
phpMyFAQ's File Upload Bypass at Category Image Leads to RCE
Details

Summary

The category image upload function in phpmyfaq is vulnerable to manipulation of the Content-type and lang parameters, allowing attackers to upload malicious files with a .php extension, potentially leading to remote code execution (RCE) on the system.

Details

In the file upload function of the category image, the Content-type can be manipulated to return an empty string for the extension and the lang parameter can be set to .php. to allow an attacker to save a file as .PHP. This allows the uploading of web shells which could lead to RCE on phpmyfaq.

PoC

  1. Generate a fake .GIF file that contains a php command using the tool gifsicle a. Cmd: gifsicle < test1.gif --comment "<?php system('whoami'); ?>" > output.php.gif

    image

    b. The contents of the file should look like this:
    image

  2. Browse to “../phpmyfaq/admin/?action=addcategory” and upload the fake .GIF file image

  3. Intercept the upload request and modify the params below and forward it: 3a. lang parameter to .php. 3b. Content-Type parameter from image/gif to image/gif2

    image

  4. Browse to the “/phpmyfaq/images” directory and notice that our fake .GIF file has been uploaded as a PHP file with the category number as its filename. image

  5. Now we just need to browse to “../phpmyfaq/images/category--.php” and see the results of our whoami command. Hence, verifying that RCE is achieved. image

Impact

Attackers can upload malicious files containing executable code, allowing them to take control of the vulnerable system. This enables them to execute arbitrary commands, steal sensitive data, disrupt services, and potentially escalate their privileges, posing significant risks to the security and integrity of the system and its data.

Occurrences

In CategoryImage.php line 124, the getimagesize and isValidMimeType functions can be bypassed by uploading a fake .GIF file generated by gifsicle.
image

In CategoryImage.php line 85, the getFileExtension function returns an empty string when the content type doesnt match any of the following 3 mappings. Hence, its possible to just supply an invalid content type such as image/gif2 in step 3 of the PoC to make the function return an empty string. image

In CategoryImage.php line 66, the getFileName function generate the filename by concatenating the categoryId, categoryName and fileExtension together. This allows us to save the file with a .PHP extension. (It should be possible to just set the payload in step 3 above to just .php but it doesnt work and im not sure why..) image

Suggested Fix

I believe one of the ways to solve this vulnerability is by forcing the getFileExtension function to return one of the 3 mimetype instead of an empty string. This ensures that the uploaded file will have an image extension and will not execute as a PHP file.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "phpmyfaq/phpmyfaq"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.2.5"
            },
            {
              "fixed": "3.2.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "3.2.5"
      ]
    }
  ],
  "aliases": [
    "CVE-2024-28105"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-434"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-25T19:46:11Z",
    "nvd_published_at": "2024-03-25T19:15:58Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nThe category image upload function in phpmyfaq is vulnerable to manipulation of the `Content-type` and `lang` parameters, allowing attackers to upload malicious files with a .php extension, potentially leading to remote code execution (RCE) on the system.\n\n### Details\nIn the file upload function of the category image, the `Content-type` can be manipulated to return an empty string for the extension and the `lang` parameter can be set to `.php.` to allow an attacker to save a file as `.PHP`. This allows the uploading of web shells which could lead to RCE on phpmyfaq.\n\n### PoC\n1. Generate a fake .GIF file that contains a php command using the tool `gifsicle`\n    a. Cmd: `gifsicle \u003c test1.gif --comment \"\u003c?php system(\u0027whoami\u0027); ?\u003e\" \u003e output.php.gif`\n  \n    ![image](https://github.com/thorsten/phpMyFAQ/assets/63487456/b9fc1f37-ce83-4ec5-88a5-5217c35caac9)\n\n    b. The contents of the file should look like this:  \n     ![image](https://github.com/thorsten/phpMyFAQ/assets/63487456/6d64a5b9-238f-4b56-8de6-7a765f69b0f5)\n\n2.  Browse to \u201c../phpmyfaq/admin/?action=addcategory\u201d and upload the fake .GIF file\n    ![image](https://github.com/thorsten/phpMyFAQ/assets/63487456/680f1c94-c4eb-4873-be05-018e745b88b2)\n\n3.  Intercept the upload request and modify the params below and forward it:\n    3a. `lang` parameter to `.php.`\n    3b. `Content-Type` parameter from `image/gif` to `image/gif2`\n\n    ![image](https://github.com/thorsten/phpMyFAQ/assets/63487456/9247c5bb-8f58-41de-a5d4-83ea57e42f37)\n\n4.  Browse to the \u201c/phpmyfaq/images\u201d directory and notice that our fake .GIF file has been uploaded as a PHP file with the category number as its filename.\n    ![image](https://github.com/thorsten/phpMyFAQ/assets/63487456/1c958452-7308-4038-8d51-d65c14f3e93a)\n\n5. Now we just need to browse to \u201c../phpmyfaq/images/category-\u003cID\u003e-.php\u201d and see the results of our whoami command. Hence, verifying that RCE is achieved.\n    ![image](https://github.com/thorsten/phpMyFAQ/assets/63487456/5d40afb9-0c44-458f-8440-c9c6bd916ce1)\n\n### Impact\nAttackers can upload malicious files containing executable code, allowing them to take control of the vulnerable system. This enables them to execute arbitrary commands, steal sensitive data, disrupt services, and potentially escalate their privileges, posing significant risks to the security and integrity of the system and its data.\n\n### Occurrences\nIn CategoryImage.php line 124, the getimagesize and isValidMimeType functions can be bypassed by uploading a fake .GIF file generated by gifsicle.  \n![image](https://github.com/thorsten/phpMyFAQ/assets/63487456/357684e3-9b7f-488e-ab99-6eb0b1ec3ebc)\n\nIn CategoryImage.php line 85, the getFileExtension function returns an empty string when the content type doesnt match any of the following 3 mappings. Hence, its possible to just supply an invalid content type such as image/gif2 in step 3 of the PoC to make the function return an empty string. \n![image](https://github.com/thorsten/phpMyFAQ/assets/63487456/98209dc0-7bcf-4d3d-a8ea-c4b70c47249a)\n\nIn CategoryImage.php line 66, the getFileName function generate the filename by concatenating the categoryId, categoryName and fileExtension together. This allows us to save the file with a .PHP extension. (It should be possible to just set the payload in step 3 above to just .php but it doesnt work and im not sure why..)\n![image](https://github.com/thorsten/phpMyFAQ/assets/63487456/ae987ef2-45b0-4144-b834-ba75cdd15545)\n\n### Suggested Fix\nI believe one of the ways to solve this vulnerability is by forcing the getFileExtension function to return one of the 3 mimetype instead of an empty string. This ensures that the uploaded file will have an image extension and will not execute as a PHP file.",
  "id": "GHSA-pwh2-fpfr-x5gf",
  "modified": "2024-03-25T22:28:15Z",
  "published": "2024-03-25T19:46:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-pwh2-fpfr-x5gf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28105"
    },
    {
      "type": "WEB",
      "url": "https://github.com/thorsten/phpMyFAQ/commit/9136883776af67dfdb0e8cf14f5e0ca22bf4f2e7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/thorsten/phpMyFAQ"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "phpMyFAQ\u0027s File Upload Bypass at Category Image Leads to RCE"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.