Composr 10.0.36 | Remote Code Execution (RCE)

2021.04.10
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

|=========================================================================== | # Exploit Title : Composr 10.0.36 | Remote Code Execution (RCE) | | # Author : Ali Seddigh | | # Vendor Homepage: https://compo.sr/ | | # Software Link: https://compo.sr/download.htm | | # Version: 10.0.36 | | # Tested on : [ Windows ~> 10 , Kali Linux ] | | # Date : 2021-04-10 |=========================================================================== | << introduction >> | | A RCE on Composr CMS has been discovered by BugsBD Private LTD. | We have a galleries security issue which allows us to upload a PHP file. | Whenever we upload an image from galleries, Composr allows us to upload only images. | If we tried to upload a PHP file from galleries uploader it will say someone attempting hacking activities. | But we have a security issue on the Upload In Bulk section. | Whenever we check allowed extension in Upload in bulk function we can see PHP is completely prohibited. | But whenever we tamper the request and change the extension we can see it will upload the PHP file without other or server side verification. | This allows a user to upload malicious file even when they restricted it. | |=========================================================================== | # Steps To Reproduce: | | 1. Go to upload galleries. | 2. Upload a image and tamper the request and change the extension from .jpg to .php | 3. It will say hacking attempts, check the allowed extension and you can see it's not accepting PHP extension. | 4. Now go to upload in bulk option. | 5. Upload a image with PHP codes and tamper the request. | 6. Change extension from .jpg to .php | 7. It will get uploaded with the blocked PHP extension. |=========================================================================== | # Discovered By : Ali Triplex |===========================================================================


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top