|=========================================================================== | # Exploit Title : Composr 10.0.36 | Remote Code Execution (RCE) | | # Author : Ali Seddigh | | # Vendor Homepage: https://compo.sr/ | | # Software Link: https://compo.sr/download.htm | | # Version: 10.0.36 | | # Tested on : [ Windows ~> 10 , Kali Linux ] | | # Date : 2021-04-10 |=========================================================================== | << introduction >> | | A RCE on Composr CMS has been discovered by BugsBD Private LTD. | We have a galleries security issue which allows us to upload a PHP file. | Whenever we upload an image from galleries, Composr allows us to upload only images. | If we tried to upload a PHP file from galleries uploader it will say someone attempting hacking activities. | But we have a security issue on the Upload In Bulk section. | Whenever we check allowed extension in Upload in bulk function we can see PHP is completely prohibited. | But whenever we tamper the request and change the extension we can see it will upload the PHP file without other or server side verification. | This allows a user to upload malicious file even when they restricted it. | |=========================================================================== | # Steps To Reproduce: | | 1. Go to upload galleries. | 2. Upload a image and tamper the request and change the extension from .jpg to .php | 3. It will say hacking attempts, check the allowed extension and you can see it's not accepting PHP extension. | 4. Now go to upload in bulk option. | 5. Upload a image with PHP codes and tamper the request. | 6. Change extension from .jpg to .php | 7. It will get uploaded with the blocked PHP extension. |=========================================================================== | # Discovered By : Ali Triplex |===========================================================================