Bludit v3.9.2 Code Execution Vulnerability in "Upload function" #1081
Comments
|
I uploaded a fix, checking if the |
|
It can also to code execution by both accounts upload file at the same time,one of account to upload the .htaccess file,and the other upload the evil file. My personal opinion is rename the file to random number before upload to temporary directory. |
|
I added check the extension file, if you can try to do the exploit with the version from Github. I will release a new version in a few days. |
|
OK,glad to help you |
|
Fixed in Bludit v3.10.0. |
|
its too late but you dont even need to upload .htaccess or jpg |
A Code Execution Vulnerability in Bludit v3.9.2
Hi,
For CVE ID,so I open a new issue,sorry about that.And I think you haven't completely fixed the bug.
There is a new Code Execution Vulnerability which allow to get server permissions,the path is /bl-kernel/admin/ajax/upload-images.php
1, login with any account which allows you to edit conten
2.upload the evil jpg
We can specify the location of the uploaded file by changing the value of the uuid,then upload the evil picture to tmp folder
3.upload both the.htaccess file and the access target jpg
Successfully reverted to the target file
4. Access the evil file that are written through jpg
So I recommend checking the file before uploading it to temporary directory
The text was updated successfully, but these errors were encountered: