GreenCMS Unrestricted File Upload Vulnerability in Media Management

A critical vulnerability allowing unrestricted file uploads has been identified in GreenCMS versions through 2.3.0603. The issue resides in the media management module, specifically within the 'fileconnect' action of the admin interface. This vulnerability arises from inadequate validation of the 'upload[]' parameter, enabling attackers to upload arbitrary files, including malicious scripts, without proper checks on file type, size, content, or storage location. As a result, uploaded scripts could be executed on the server, leading to unauthorized access and potential compromise of sensitive data.

Impact

Exploitation of this vulnerability allows attackers to upload and execute malicious scripts on the server, potentially leading to full server control, unauthorized access to sensitive data, distribution of malware, or causing a denial of service.

Reproduction

The vulnerability can be reproduced by sending a POST request to '/index.php?m=admin&c=media&a=fileconnect' with the 'upload[]' parameter containing a file, such as a PHP script. This can be done using tools like cURL or Postman.

Remediation

It is recommended to implement strict file type validation, set file size limits, store uploaded files outside the web root, rename uploaded files to ensure uniqueness, and conduct regular security audits of the file upload functionality.