Bdtask News365 Unrestricted File Upload Vulnerability in Admin Dashboard

A critical unrestricted file upload vulnerability has been identified in Bdtask/CodeCanyon News365 versions through 7.0.3. The issue resides in the admin dashboard profile management section, specifically within the file upload functionality for 'profile_image' and 'banner_image'. The vulnerability allows authenticated admin users to upload malicious files, such as PHP web shells, to a directory accessible via the web. Once uploaded, these files can be executed, leading to remote code execution and a complete compromise of the server.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, with potential consequences including unauthorized access to the application database, website defacement, and lateral movement within the internal network.

Reproduction

To reproduce this vulnerability, log into the admin panel and navigate to the profile editing page. Upload a malicious PHP file through the profile picture or banner image upload fields, which lack proper validation. After the upload, use the browser's developer tools to find the direct URL to the uploaded file in the '/storage/users/' directory. Access this URL to execute the uploaded script, confirming successful remote code execution.

Remediation

It is recommended to implement a strict whitelist for file uploads, allowing only specific safe image file extensions such as JPG, PNG, and GIF. Additionally, validate MIME types and file content on the server side to ensure that uploaded files are genuine images. Store uploaded files outside of the webroot and access them through a secure script that serves the files to users, preventing direct execution. Finally, rename uploaded files to a random, non-executable name before storage and remove the original file extension.