Dcat-Admin Unrestricted File Upload Vulnerability in User Settings Page

A file upload vulnerability allowing unrestricted file types has been identified in Dcat-Admin versions through 2.2.3-beta. The issue resides in the User Setting Page, specifically within the editorMDUpload function of the file /admin/dcat-api/editor-md/upload. This vulnerability can be exploited remotely, as the upload request lacks proper security checks, enabling the execution of arbitrary PHP code on the server.

Impact

Exploitation of this vulnerability allows for arbitrary PHP code execution on the server, potentially leading to full control over the affected system.

Reproduction

To reproduce this vulnerability, log into the system backend and upload any image file to initiate a normal upload process. Capture the network packet of this upload request. Then, send the captured request to a repeater tool, such as Burp Suite's Repeater. Modify the request by changing the upload endpoint to 'dcat-api/editor-md/upload' and replace the request body with a crafted payload, such as a malicious PHP file. Ensure not to alter the '_token' parameter, as this will trigger a token error. After sending the modified request, access the uploaded file through the corresponding link, which will execute the uploaded PHP code, demonstrating successful exploitation.