usd-2023-0049 | Gambio 4.9.2.0 - Arbitrary File Upload

Product: Gambio
Affected Version: 4.9.2.0
Vulnerability Type: CWE 434 - Unrestricted Upload of File with Dangerous Type
Security Risk: Critical
Vendor URL: https://www.gambio.de/
Vendor Status: Not fixed
CVE number: CVE-2024-23762

Description

Gambio is a software specifically designed for running online shops.
It provides various features and tools to help businesses manage their inventory, process orders, and handle customer interactions.

According to their homepage, the software is used by more than 25.000 shops.

The Content Manager feature allows to create new pages from scripts.
The functionality allows uploading arbitrary PHP files which results in remote code execution.

Note:
Unfortunately, despite multiple attempts, our attempts to engage the vendor in resolving this issue have been met with silence.
The vulnerability is still unfixed.

Proof of Concept

The Content Manager feature allows to create new pages from scripts.
The functionality allows uploading arbitrary PHP files which results in remote code execution.

A PHP file which executes the ls command was uploaded.
The PHP file is embedded into the page where it was previously attached to.

Fix

Restrict upload of files with a dangerous type.

References

• https://www.gambio.de

Timeline

• 2023-12-08: First contact request via email.
• 2023-12-21: Second contact request via email.
• 2024-01-17: This advisory is published.

Credits

This security vulnerability was identified by Christian Poeschl and Lukas Schraven of usd AG.