Unrestricted Upload of File with Dangerous Type in microweber/microweber
Oct 16th 2020
microweber/microweber is vulnerable to
Arbitrary File Upload.
Effective controls have not been implemented to restrict users from uploading malicious content to the web server. Files containing code like .php, .exe and etc can be uploaded successfully.
Steps To Reproduce-:
- Login into your Microweber account
- Go to admin page
- Go to Users -> My Profile -> Edit User
- Try to Upload any image extension. It will successfully update.
- Now, download any web shell from google and modify the extension.
- capture the request of upload profile in burp and modify image extension (Eg- test.php.png)
- It will succesfully upload the web shell.