Hytale Modding Wiki Remote Code Execution Vulnerability via File Upload Bypass

A remote code execution vulnerability exists in the Hytale Modding Wiki, specifically in version 1.2.0 and prior. The issue arises in the 'quickUpload()' endpoint, which validates uploaded files by checking their MIME type using PHP's 'finfo' function. However, the endpoint constructs the stored filename based on the client-supplied file extension, allowing an attacker to upload a file that bypasses the MIME allowlist by disguising it as an allowed type while using a .php extension. The uploaded file is saved on the public disk, accessible via URL, and can execute server-side code. This vulnerability has been confirmed on a local instance, where the full exploitation chain, from file upload to database exfiltration, was demonstrated.

Impact

Exploitation of this vulnerability allows for arbitrary PHP code execution on the server with the web server's user privileges. Additionally, the uploaded PHP script can read sensitive information from Laravel's '.env' file, including the application key, database credentials, and other secrets. Furthermore, all database contents can be dumped to a publicly accessible file, and the exposed API keys and credentials may grant access to other services. An uploaded web shell could also be used for persistent access, surviving password resets or session revocation.

Reproduction

To reproduce this vulnerability, an authenticated user with 'edit' permissions on a mod can upload a PHP file through the 'quickUpload()' endpoint. The file must be crafted to pass the MIME type check by prepending magic bytes that simulate an allowed image type, such as 'image/gif', while including PHP code. Once uploaded, the file is stored with a '.php' extension on the public disk, where it can be accessed via URL. Visiting the URL executes the PHP code on the server.

Remediation

Users are advised to update to version 1.1.2, where this vulnerability has been patched.