Brave CMS CKEditor Unrestricted File Upload Vulnerability Allowing Remote Code Execution

A vulnerability allowing unrestricted file uploads has been identified in Brave CMS versions prior to 2.0.6. This issue resides in the CKEditor upload feature, specifically within the 'ckupload' method of the CkEditorController.php file. The vulnerability arises because the method does not properly validate uploaded file types and depends solely on user input. As a result, an authenticated user can upload executable PHP scripts, leading to remote code execution.

Impact

Exploitation of this vulnerability allows authenticated users to upload malicious PHP files, which can be executed on the server, resulting in arbitrary code execution with the same privileges as the web server user.

Reproduction

To reproduce this vulnerability, authenticate as a user with at least Author privileges. Intercept the CKEditor image upload POST request to the '/dashboard/ckupload' endpoint. Modify the multipart payload to include a PHP file named 'shell.php' disguised as an image (Content-Type: image/png) and insert a PHP payload. Once the request is sent, the server will save the file in the public directory and return a URL containing an MD5 hash of the uploaded file. Access this URL in a browser, appending the parameter '?cmd=id' to execute the uploaded PHP script. The server will respond with the executed command's output, demonstrating successful exploitation.

Remediation

Users are advised to update to Brave CMS version 2.0.6 or later. For those using earlier versions, implement strict file type validation in the 'ckupload' method by using request validation to restrict uploads to specific image formats and file size limits. Additionally, configure the web server to prevent script execution in the '/images/articles' directory.