A newly discovered vulnerability, CVE-2023-36097, has been identified in the popular open-source management platform FunAdmin. Specifically, versions 3.3.2 and 3.3.3 contain an insecure file upload vulnerability that could allow an attacker to upload and execute arbitrary code on the affected server. This post will discuss the details of the vulnerability, provide code snippets showcasing the flaw, and suggest mitigation steps for affected users.
Exploit Details
This vulnerability, CVE-2023-36097, lies within FunAdmin's plugins installation functionality. The platform allows users to upload and install plugins to extend its capabilities. However, in versions 3.3.2 and 3.3.3, the file upload process lacks sufficient validation checks. As a result, an attacker can upload arbitrary files, including those containing malicious code, to the server.
The following code snippet demonstrates the lack of validation during the file upload process
// FunAdmin v3.3.2 and v3.3.3 - Insecure file upload example
public function upload()
{
// Process file upload
$file = $this->request->file('file');
if (!$file) {
return $this->error('No file found');
}
// Save file to server
$info = $file->move(env('runtime_path') . 'plugin' . DIRECTORY_SEPARATOR . 'temp');
if ($info) {
return $this->success('File uploaded', ['name' => $info->getSaveName()]);
} else {
return $this->error('File upload failed');
}
}
The above code processes the uploaded file without any checks for file type, extension, or contents. This lack of validation makes it possible for an attacker to execute arbitrary code on the server after uploading a malicious file disguised as a FunAdmin plugin.
To exploit this vulnerability, an attacker may craft a malicious plugin that includes a PHP file with the following code:
<?php
// Malicious plugin PHP file
echo shell_exec($_GET['command']);
?>
When uploaded to the affected FunAdmin server, the attacker can execute arbitrary shell commands on the target system by sending a request containing their desired command.
The disclosure of CVE-2023-36097 and its related findings can be found in the following resources
1. FunAdmin GitHub Repository (v3.3.2)
2. FunAdmin GitHub Repository (v3.3.3)
3. CVE Detail Page - CVE-2023-36097
Mitigation Steps
Affected users running FunAdmin versions 3.3.2 and 3.3.3 should take the following steps to mitigate the risk associated with the CVE-2023-36097 vulnerability:
1. Upgrade to the latest available version of FunAdmin, which includes security patches addressing this issue.
2. Implement proper server-side validation and security checks for file uploads, including restricting the allowed file types and ensuring the contents match the expected values.
3. Consider implementing additional security measures, such as file upload scanning, intrusion prevention systems, and a dedicated firewall for the application server.
Conclusion
Users of FunAdmin v3.3.2 and v3.3.3 should be aware of the CVE-2023-36097 vulnerability and take immediate action to mitigate the associated risks. By upgrading to the latest version of the platform and implementing proper security measures, organizations can better protect their server environments from unauthorized file uploads and potential code execution attacks.
Timeline
Published on: 06/22/2023 15:15:00 UTC
Last modified on: 06/28/2023 07:22:00 UTC