Dotclear

Ticket #2214 (closed defect: wontfix)

Opened 7 years ago

Last modified 7 years ago

Arbitrary themes upload vulnerability in dotclear 2.10.4, please confirm.

Reported by: fantasy7082 Owned by: team
Priority: highest Milestone:
Component: security Version: 2.10.3
Severity: critical Keywords: 2.10.4 or 2.10.3
Cc:

Description

Hello, i found a arbitrary themes upload vulnerability in blog_theme.php , the attacker can make a malicious zip file including webshell backdoor and upload to the website. Then the attacker can acquire the webserver privilege. The steps to reproduce are below:

  1. Make a malicious theme zip(such as yyy.zip). the zip include only one php file(_define.php) . the "_define.php" content is below:

https://thumbnail0.baidupcs.com/thumbnail/09e49e0401ac3d29be57c24d588f5703?fid=3627198202-250528-114146562799603&time=1478163600&rt=sh&sign=FDTAER-DCb740ccc5511e5e8fedcff06b081203-3z%2FC%2BhHe8tMJEvJ8K3cyHkp2Wvk%3D&expires=8h&chkv=0&chkbd=0&chkpc=&dp-logid=7137515873059299957&dp-callid=0&size=c710_u400&quality=100

  1. click "Blog appearance->Install or upgrade manually" and upload the yyy.zip . you will find the phpinfo() has been executed.

https://thumbnail0.baidupcs.com/thumbnail/249309a263d7e97ec94c59b5335ac75b?fid=3627198202-250528-786371678723819&time=1478163600&rt=sh&sign=FDTAER-DCb740ccc5511e5e8fedcff06b081203-Bcza92V4IQb3YFAn027vpyBd6%2FU%3D&expires=8h&chkv=0&chkbd=0&chkpc=&dp-logid=7137557880070087822&dp-callid=0&size=c710_u400&quality=100 https://thumbnail0.baidupcs.com/thumbnail/e013e09dca5cc3541372e617b874bcdc?fid=3627198202-250528-205843587356145&time=1478163600&rt=sh&sign=FDTAER-DCb740ccc5511e5e8fedcff06b081203-hM5o9n%2FPT21j8i7LT%2BliHXTmjYo%3D&expires=8h&chkv=0&chkbd=0&chkpc=&dp-logid=7137574356565765484&dp-callid=0&size=c710_u400&quality=100

  1. So we can also upload a malicious zip file including a php webshell backdoor:

https://thumbnail0.baidupcs.com/thumbnail/582cf5803a3ace7dba1c2d4af36cd10a?fid=3627198202-250528-586253583501494&time=1478163600&rt=sh&sign=FDTAER-DCb740ccc5511e5e8fedcff06b081203-2EKKGAi9gLSGrXfKI%2Bdplb8GX78%3D&expires=8h&chkv=0&chkbd=0&chkpc=&dp-logid=7137586113584673557&dp-callid=0&size=c710_u400&quality=100 And then visit the URL  http://IP/WEBROOT/themes/xxx/_define.php ,getshell: https://thumbnail0.baidupcs.com/thumbnail/87e7c9b9799108cd1986b29dda4dc6bc?fid=3627198202-250528-166932373298824&time=1478167200&rt=sh&sign=FDTAER-DCb740ccc5511e5e8fedcff06b081203-EpUky7m9VRrfXsGDe93fIOfjhH0%3D&expires=8h&chkv=0&chkbd=0&chkpc=&dp-logid=7137601925457483481&dp-callid=0&size=c710_u400&quality=100

thanks!

liuzhu

email:fantasy7082@hotmail.com

Attachments

vul_snapshot.zip Download (140.2 KB) - added by fantasy7082 7 years ago.
the snapshot of reproduction step

Change History

comment:1 follow-up: ↓ 2 Changed 7 years ago by philippe

I may be wrong here, but to be able to install a theme, you must be a super-administrator, in which case you already have plenty of rights to break everything.

Furthermore, if you can install a theme, it may include a _public.php file, and there again you can do as much as you wish : access database, add files to server or delete them, etc.

comment:2 in reply to: ↑ 1 Changed 7 years ago by fantasy7082

Replying to philippe:

I may be wrong here, but to be able to install a theme, you must be a super-administrator, in which case you already have plenty of rights to break everything.

Furthermore, if you can install a theme, it may include a _public.php file, and there again you can do as much as you wish : access database, add files to server or delete them, etc.

Thank your reply very much.But I have different ideas. The first, it's a Privilege escalation attack ,the CMS super-administrator can only change the centent and style of the cms. As you say, the super-administrator also can install a theme include a _public.php in the server,then he can also access database. But i think the webshell backdoor is differ,you can upload arbitrary files(such as PE file or sh file),sniffe the internal network,add system user account,download all source code(other website) in the webserver(has exceeded the site administrator's right) . The site administrator's rights should be different from the system administrator's rights.

Changed 7 years ago by fantasy7082

the snapshot of reproduction step

comment:3 Changed 7 years ago by franck <carnet.franck.paul@…>

(In [445e9ff79a1f]) Capture output buffer during module’s file loading, addresses #2214

comment:4 Changed 7 years ago by franck

We can also add an .htaccess with php_flag engine off inside the main theme folder, but it will not prevents every attacks

Last edited 7 years ago by franck (previous) (diff)

comment:5 Changed 7 years ago by franck

  • Status changed from new to closed
  • Resolution set to wontfix
  • Milestone A definir deleted
Note: See TracTickets for help on using tickets.

Sites map