{"id":16693,"date":"2021-07-07T16:32:49","date_gmt":"2021-07-07T14:32:49","guid":{"rendered":"https:\/\/herolab-usd.formwandler.rocks\/security-advisories\/usd-2020-0041\/"},"modified":"2021-07-19T14:16:13","modified_gmt":"2021-07-19T12:16:13","slug":"usd-2020-0041","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2020-0041\/","title":{"rendered":"usd-2020-0041"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n

usd-2020-0041 | Concrete5 v8.5.2<\/span><\/h1>\n

<\/span><\/p>\n

<\/span>Advisory ID<\/strong>: usd-2020-0041<\/span>
CVE Number<\/strong>: CVE-2020-11476<\/span>
Affected Product<\/strong>: Concrete5 CMS<\/span>
Affected Version<\/strong>: 8.5.2<\/span>
Vulnerability Type<\/strong>: Unrestricted Upload of File with Dangerous Type<\/span>
Security Risk<\/strong>: High<\/span>
Vendor URL<\/strong>: https:\/\/www.concrete5.org\/<\/a><\/span>
Vendor Status<\/strong>: Fixed in 8.5.3<\/span><\/p>\n

<\/h3>\n

<\/h3>\n

<\/h3>\n

Description<\/h3>\n
\n

The web application \u201econcrete5\u201c is vulnerable to remote code execution. An attacker can define uploadable filetypes in the admin area. The application blocks uploads with file extensions like php<\/em> and phtml<\/em> but not phar, php8, shtml, cgi, pl, phpsh, pht and .htaccess<\/em>.
It is for instance possible for an attacker to upload phar<\/em> files and access them via the browser after some configuration settings in the admin area. This file extension is interpreted as PHP code by many web servers, which allows code execution.<\/p>\n

 <\/p>\n<\/div>\n

\n

It is possible for an authenticated admin to specify the uploadable file formats in the \u201eAllowed File Types\u201c section under the URL http:\/\/localhost\/index.php\/dashboard\/system\/files\/filetypes. According to the page, the following file extensions are blocked:<\/p>\n<\/div>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"]These file extensions will always be blocked: php, php2, php3, php4, php5, php7, phtml<\/code><\/pre>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n

However there are other file formats that are interpreted as PHP by many web servers. One of these file extensions is .phar<\/em>. After adding this file extension, it is possible to upload .phar<\/em>\u00a0files in the upload section, which are stored on the web server. If an attacker accesses the uploaded file via his browser, this file is interpreted as php and allows code execution.<\/p>\n

<\/span><\/h3>\n

<\/span><\/h3>\n

<\/span><\/h3>\n

Proof of Concept (PoC)<\/span><\/h3>\n
\n

First visit the section \u201eAllowed file types\u201c under the URL http:\/\/localhost\/index.php\/dashboard\/system\/files\/filetype<\/a>. The .phar<\/em>\u00a0format must be added to the list there.<\/p>\n

Create a new file shell.phar<\/em> with the following contents:<\/p>\n<\/div>\n

[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/07\/usd20200041.png\" title_text=\"usd20200041\" _builder_version=\"4.9.4\" _module_preset=\"default\"][\/et_pb_image][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_margin=\"||27px||false|false\"]<\/p>\n

Afterwards visit the following page: http:\/\/localhost\/concrete5\/index.php\/dashboard\/files\/search<\/a>.
On this page it is possible to upload new files and get information about already uploaded files.<\/p>\n

Next step is to upload the created file shell.phar<\/em>. After the successful upload of the file it is possible to view the URL of the file. On the same page it is possible to search for the file name shell.phar<\/em> in the file search bar. By right-clicking on the file and selecting \u201eProperties\u201c you can get the path where the file was saved. The following information would then be displayed:<\/p>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"]Filename \tshell.phar
\nURL to File\thttp:\/\/localhost\/application\/files\/4015\/8558\/7320\/shell.phar
\nTracked URL\thttp:\/\/localhost\/concrete5\/index.php\/download_file\/21\/0
\nFolder\t\tFile Manager<\/code><\/pre>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n

\n
\n

The attacker can now visit the received URL and enter system commands in the <\/span>cmd<\/em> GET parameter which should be executed on the system. The visiting the following URL would execute the system command \u201ewhoami\u201c: <\/span>http:\/\/localhost\/application\/files\/4015\/8558\/7320\/shell.phar?cmd=whoami<\/a><\/p>\n

<\/h3>\n

Fix<\/h3>\n

Although it is possible to add the file extension <\/span>.phar<\/em> to the <\/span>concrete.upload.extensions_blacklist<\/em> this would only be a temporary solution. There are many other file extensions which some web servers interpret as PHP code. It is more difficult to cover all file extensions with a blacklist than to build a whitelist of possible file formats. It would make sense to introduce a <\/span>concrete.upload.extensions_whitelist<\/em>\u00a0which is defined in the code. This way, a user who already has access to the system can modify it. The section \u201eAllowed File Types\u201c should not allow a user to modify the allowed file formats, it should only display uploadable formats.<\/span><\/p>\n

<\/h3>\n

Timeline<\/h3>\n