Pixie CMS 1.04 arbitrary file upload

2017-04-14T00:00:00
ID SSV:92946
Type seebug
Reporter sebao
Modified 2017-04-14T00:00:00

Description

Pixie CMS 1.04 background the presence of arbitrary file upload vulnerability

Vulnerability analysis:

In Publish > File Manager module you can upload any file

View Code> /admin/admin/modules/mod_filemanager.php

 $multi_upload->extensions = array(
'. png',
'. jpg',
'. gif',
'. zip',
'. mp3',
'. pdf',
'. exe',
'. rar',
'. swf',
'. vcf',
'. css',
'. dmg',
'. php',
'. doc',
'. xls',
'. xml',
'. eps',
'. rtf',
'. iso',
'. psd',
'. txt',
'. ppt',
'. mov',
'. flv',
'. avi',
'. m4v',
'. mp4',
'. gz',
'. bz2',
'. tar',
'. 7z',
'. svg',
'. svgz',
'. lzma',
'. sig',
'. sign',
'. js',
'. rb',
'. ttf',
'. html',
'. phtml',
'. flac',
'. ogg',
'. wav',
'. mkv',
'. pls',
'. m4a',
'. xspf',
'. ogv'
);
 $multi_upload->message[] = $multi_upload->extra_text(4);
 $multi_upload->do_filename_check = 'y';
 $multi_upload->tmp_names_array = $_FILES['upload']['tmp_name'];
 $multi_upload->names_array = str_replace(" ", '-', $_FILES['upload']['name']);
 $multi_upload->error_array = $_FILES['upload']['error'];
 $multi_upload->replace = (isset($_POST['replace'])) ? $_POST['replace'] : 'n';
$multi_upload->upload_multi_files();

Here we see $multi_upload->extensions allowed to upload PHP file suffix, feel incredible

Vulnerability reproduction: the

In upload Upload a 1. php file

Then visit http://localhost/files/other/1.php