An attacker can upload a PHP file via the component /admin/fst_upload.inc.php and then upload a file with a malicious code or execute a PHP code via the component /admin/fst_upload.inc.php. An attacker needs to only guess the name of the uploaded file. The following code contains the file upload method:

?php /* This method allows administrators to upload a file */ if(isset($_FILES[‘f’]->name) && $_FILES[‘f’]->is_file()) { // Check if file exists if(!$this->_fst->_check(‘upload’, $file)) { // If file doesn't exist, create it $this->_fst->create(array(‘fid’ => $file->fid, ‘type’ => ‘upload’, ‘upload’ => ‘’, ‘size’ => 0, ‘ext’ => ‘jpg’, ‘key’ => ‘’, ‘name’ => ‘’, ‘mime’ => ‘’, ‘created’ => new \DateTime(’now’))); } } ?> The following code contains a remote code execution method:

input type=”file

output script

input type=”submit”

?php if($_FILES[‘f’]->name) {
The following code contains the attack vector:

input type=”image ”

!

/usr/bin/env php

Timeline

Published on: 11/10/2022 20:15:00 UTC
Last modified on: 11/15/2022 20:47:00 UTC

References