MojoPortal CMS Zip Slip Vulnerability in Skin Upload Feature

A zip slip vulnerability has been identified in MojoPortal CMS version 2.9.0.1, specifically within the /DesignTools/SkinList.aspx endpoint. This vulnerability allows attackers to execute arbitrary commands by uploading a specially crafted zip file. The issue arises because the application extracts files from the zip archive without properly validating or sanitizing the file paths, enabling malicious files to be written outside the intended directory.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the server.

Reproduction

To reproduce this vulnerability, first craft a zip file containing a valid layout.master and theme.skin file, along with a payload file named error.htm that is intended to overwrite an existing file. Then, access the /DesignTools/SkinList.aspx endpoint with admin privileges and upload the crafted zip file. The uploaded zip file will be extracted, and the paths will traverse outside the intended directory, demonstrating the zip slip vulnerability.

Remediation

Users are advised to update to MojoPortal version 2.9.1, which addresses this vulnerability by fixing issues related to zip file handling.