Vulnerability Report #106
Comments
|
Hi there, thanks for reaching out. I can't reproduce this so far. On uploads there is a validation of the file extension in place that should prevent uploading files with an extension that is not in the allowed list. How does your allowed file types list look like? Did you add php there? |
no i add nothing to allowed list, never touch that |
marcantondahmen
added
bug
|
I took a closer look. It turned out that not the uploads but the file saving endpoint was lacking proper file type checking. I quickly released a fix. Thanks for reaching out! |
I identified potential security vulnerabilities in automad.
I am committed to working with you to help resolve these issues. In this report you will find everything you need to effectively coordinate a resolution of these issues.
If at any point you have concerns or questions about this process, please do not hesitate to reach out to me.
If you are NOT the correct point of contact for this report, please let me know!
Summary
A Remote Code Execution (RCE) vulnerability exists in the image upload functionality of automad 2.0.0. The vulnerability is due to improper validation of uploaded files, allowing an attacker to upload and execute arbitrary PHP code on the server.
An attacker can exploit this vulnerability by sending a specially crafted HTTP POST request to the affected endpoint. The request contains a PHP file disguised as an image file, which the server processes and executes, allowing the attacker to execute arbitrary commands on the server.
PoC
Post an php file with base64 encoded content
<?php phpinfo(); ?>to /_api/image/save and uploads successfully.As you can see it effects this live demo version too:
Impact
Successful exploitation of this vulnerability allows remote attackers to execute arbitrary code on the server, which can lead to complete compromise of the affected system.
Remediation
The text was updated successfully, but these errors were encountered: