HortusFox Web Zip Slip Vulnerability in Import Module Allows Arbitrary Code Execution

A zip slip vulnerability has been identified in the ImportModule component of HortusFox Web version 4.4. This vulnerability allows authenticated administrators to execute arbitrary code by uploading a crafted ZIP archive through the theme import functionality. The vulnerability arises because the application does not properly validate archive entries before extraction, enabling attackers to place malicious files, such as PHP web shells, into publicly accessible directories. Once the uploaded shell is invoked, it can lead to full remote code execution on the server.

Impact

Exploitation of this vulnerability allows for full server compromise, with arbitrary command execution as the web server user. This could be used to upload additional tools, pivot to internal services, or read and write sensitive data such as configuration files, database credentials, and source code. Additionally, exploitation of this vulnerability could be combined with other identified vulnerabilities to escalate privileges or access sensitive areas of the application.

Reproduction

To reproduce this vulnerability, an authenticated administrator can upload a ZIP file containing a PHP web shell to the theme import module. The ZIP file should be crafted to include a payload file that exploits the zip slip vulnerability by traversing directory boundaries and placing the file in a location that can be accessed via the web server. After the ZIP file is uploaded and extracted, the web shell can be accessed through the web server, allowing for remote code execution.