Ticket #2214 (closed defect: wontfix)
Arbitrary themes upload vulnerability in dotclear 2.10.4, please confirm.
Reported by: | fantasy7082 | Owned by: | team |
---|---|---|---|
Priority: | highest | Milestone: | |
Component: | security | Version: | 2.10.3 |
Severity: | critical | Keywords: | 2.10.4 or 2.10.3 |
Cc: |
Description
Hello, i found a arbitrary themes upload vulnerability in blog_theme.php , the attacker can make a malicious zip file including webshell backdoor and upload to the website. Then the attacker can acquire the webserver privilege. The steps to reproduce are below:
- Make a malicious theme zip(such as yyy.zip). the zip include only one php file(_define.php) . the "_define.php" content is below:
- click "Blog appearance->Install or upgrade manually" and upload the yyy.zip . you will find the phpinfo() has been executed.
- So we can also upload a malicious zip file including a php webshell backdoor:
And then visit the URL http://IP/WEBROOT/themes/xxx/_define.php ,getshell:
thanks!
liuzhu
email:fantasy7082@hotmail.com
Attachments
Change History
comment:2 in reply to: ↑ 1 Changed 7 years ago by fantasy7082
Replying to philippe:
I may be wrong here, but to be able to install a theme, you must be a super-administrator, in which case you already have plenty of rights to break everything.
Furthermore, if you can install a theme, it may include a _public.php file, and there again you can do as much as you wish : access database, add files to server or delete them, etc.
Thank your reply very much.But I have different ideas. The first, it's a Privilege escalation attack ,the CMS super-administrator can only change the centent and style of the cms. As you say, the super-administrator also can install a theme include a _public.php in the server,then he can also access database. But i think the webshell backdoor is differ,you can upload arbitrary files(such as PE file or sh file),sniffe the internal network,add system user account,download all source code(other website) in the webserver(has exceeded the site administrator's right) . The site administrator's rights should be different from the system administrator's rights.
Changed 7 years ago by fantasy7082
- attachment vul_snapshot.zip added
the snapshot of reproduction step
comment:3 Changed 7 years ago by franck <carnet.franck.paul@…>
(In [445e9ff79a1f]) Capture output buffer during module’s file loading, addresses #2214
I may be wrong here, but to be able to install a theme, you must be a super-administrator, in which case you already have plenty of rights to break everything.
Furthermore, if you can install a theme, it may include a _public.php file, and there again you can do as much as you wish : access database, add files to server or delete them, etc.