Webkul Krayin CRM Arbitrary File Upload Vulnerability in TinyMCE Controller Allowing Remote Code Execution

A vulnerability exists in Webkul Krayin CRM version 2.2.x, allowing authenticated users to upload arbitrary files through the TinyMCE upload endpoint. The application fails to properly validate file types, enabling the upload of malicious PHP files that can be executed on the server, leading to remote code execution.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, with the executed code running in the context of the web server process. This could result in a full server compromise, including access to all files on the server, modification or deletion of files, and potential lateral movement within the internal network.

Reproduction

To reproduce this vulnerability, authenticate to Krayin CRM with a valid user account. Then, upload a PHP file containing arbitrary PHP code to the '/admin/tinymce/upload' endpoint. After the file is uploaded, note the file path provided in the JSON response. Finally, send a GET request to the uploaded file's URL, which will trigger the execution of the PHP code on the server.

Remediation

Users are advised to implement file type validation to restrict uploads to safe MIME types and extensions, store uploaded files outside the web root, rename files to random UUIDs with safe extensions, disable PHP execution in upload directories if files must remain web-accessible, and review authentication requirements for the TinyMCE upload endpoint.