Skip to content

Instantly share code, notes, and snippets.

@Hadi999
Created April 6, 2023 10:53
Embed
What would you like to do?
> [description]
> An arbitrary file upload vulnerability in the upload function of
> GDidees CMS 3.9.1 allows attackers to execute arbitrary code via a
> crafted file.
>
> ------------------------------------------
>
> [Vulnerability Type]
> Incorrect Access Control
>
> ------------------------------------------
>
> [Vendor of Product]
> GDidees
>
> ------------------------------------------
>
> [Affected Product Code Base]
> GDidees CMS - 3.9.1 and lower versions
>
> ------------------------------------------
>
> [Affected Component]
> GDidees CMS uses an third-party application (roxy fileman 1.4.6) for their upload feature, this upload application is vulnerable to CVE-2022-40797.
> the vulnerable file is 'conf.json' located at {webroot}/_admin/ckeditor/plugins/ckfinder
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Code execution]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> An attacker can upload a malicious .phar file in order to gain PHP Code Execution.
> .phar files are interpreted as PHP by the server but not forbidden by the upload tool.
> The upload form URL is : [http://{URL_of_GDidees}/_admin/ckeditor/plugins/ckfinder/index.php]http://{URL_of_GDidees}/_admin/ckeditor/plugins/ckfinder/index.php
>
> ------------------------------------------
>
> [Reference]
> https://www.gdidees.eu/cms-1-0.html
> https://nvd.nist.gov/vuln/detail/CVE-2022-40797
> https://salsa.debian.org/php-team/php/-/blob/dc253886b5b2e9bc8d9e36db787abb083a667fd8/debian/php-cgi.conf#L5-6
>
> ------------------------------------------
>
> [Discoverer]
> Hadi Mene
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment