SourceBans Material Admin Arbitrary File Upload Vulnerability Allowing Remote Code Execution

A vulnerability allowing arbitrary file upload has been identified in SourceBans Material Admin version 1.1.6 prior to 1.1.6@fb18342. This vulnerability exists in the 'pages/admin.uploadmapimg.php' component, where the upload handler only checks the file's reported Content-Type and PHP upload error code. This allows authenticated attackers with the ADMIN_ADD_SERVER flag to bypass the Content-Type validation and upload malicious files, such as PHP shells, which can be executed on the server.

Impact

Exploitation of this vulnerability leads to remote code execution on the server, with the executed code running as the web server user. This allows for full compromise of the website, including unauthorized access to the database and RCON credentials, and control over connected game servers via RCON.

Reproduction

To reproduce this vulnerability, an authenticated user with the ADMIN_ADD_SERVER flag can upload a file through the 'admin.uploadmapimg.php' page. The upload request can be crafted to spoof the Content-Type header, bypassing the validation that only allows 'image/jpeg' files. Once the file is uploaded, a PHP shell can be executed by accessing the uploaded file through the web server.

Remediation

Users are advised to update SourceBans Material Admin to the latest version. If an immediate update is not possible, the 'admin.uploadmapimg.php' page can be temporarily disabled or patched manually.