This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| > [description] | |
| > An arbitrary file upload vulnerability in the upload function of | |
| > GDidees CMS 3.9.1 allows attackers to execute arbitrary code via a | |
| > crafted file. | |
| > | |
| > ------------------------------------------ | |
| > | |
| > [Vulnerability Type] | |
| > Incorrect Access Control | |
| > | |
| > ------------------------------------------ | |
| > | |
| > [Vendor of Product] | |
| > GDidees | |
| > | |
| > ------------------------------------------ | |
| > | |
| > [Affected Product Code Base] | |
| > GDidees CMS - 3.9.1 and lower versions | |
| > | |
| > ------------------------------------------ | |
| > | |
| > [Affected Component] | |
| > GDidees CMS uses an third-party application (roxy fileman 1.4.6) for their upload feature, this upload application is vulnerable to CVE-2022-40797. | |
| > the vulnerable file is 'conf.json' located at {webroot}/_admin/ckeditor/plugins/ckfinder | |
| > | |
| > ------------------------------------------ | |
| > | |
| > [Attack Type] | |
| > Remote | |
| > | |
| > ------------------------------------------ | |
| > | |
| > [Impact Code execution] | |
| > true | |
| > | |
| > ------------------------------------------ | |
| > | |
| > [Attack Vectors] | |
| > An attacker can upload a malicious .phar file in order to gain PHP Code Execution. | |
| > .phar files are interpreted as PHP by the server but not forbidden by the upload tool. | |
| > The upload form URL is : [http://{URL_of_GDidees}/_admin/ckeditor/plugins/ckfinder/index.php]http://{URL_of_GDidees}/_admin/ckeditor/plugins/ckfinder/index.php | |
| > | |
| > ------------------------------------------ | |
| > | |
| > [Reference] | |
| > https://www.gdidees.eu/cms-1-0.html | |
| > https://nvd.nist.gov/vuln/detail/CVE-2022-40797 | |
| > https://salsa.debian.org/php-team/php/-/blob/dc253886b5b2e9bc8d9e36db787abb083a667fd8/debian/php-cgi.conf#L5-6 | |
| > | |
| > ------------------------------------------ | |
| > | |
| > [Discoverer] | |
| > Hadi Mene | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment