Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile

vendor:

Artworks Gallery

by:

Shahrukh Iqbal Mirza

8.8

CVSS

HIGH

Arbitrary File Upload RCE

434

CWE

Product Name: Artworks Gallery

Affected Version From: 1.0

Affected Version To: 1.0

Patch Exists: NO

Related CWE: CVE-2020-28687

CPE: a:code-projects.org:artworks_gallery:1.0

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows 10 (XAMPP Server)

2020

Artworks Gallery 1.0 – Arbitrary File Upload RCE (Authenticated) via Edit Profile

Authenticate as a user (or signup as an artist), go to edit profile, upload a php-shell as profile picture and click update/save, find your shell at 'http://<ip>/<base_url>/pictures/profile/<shell.php>' and get command execution.

Mitigation:

Ensure that user-supplied input is properly validated and sanitized before being used in any file operations.

Source

Exploit-DB raw data:

# Exploit Title: Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile
# Date: November 17th, 2020
# Exploit Author: Shahrukh Iqbal Mirza (@shahrukhiqbal24)
# Vendor Homepage: Source Code & Projects (https://code-projects.org)
# Software Link:  https://download.code-projects.org/details/9dfede24-03cc-42a8-b319-f666757ac7cf
# Version: 1.0
# Tested On: Windows 10 (XAMPP Server)
# CVE: CVE-2020-28687
--------------------
Proof of Concept:
--------------------
1. Authenticate as a user (or signup as an artist)
2. Go to edit profile
3. Upload a php-shell as profile picture and click update/save
4. Find your shell at 'http://<ip>/<base_url>/pictures/profile/<shell.php>' and get command execution