Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-f3cx-396f-7jqp

Опубликовано: 08 окт. 2024
Источник: github
Github: Прошло ревью
CVSS4: 7.7
CVSS3: 7.5

Описание

Livewire Remote Code Execution on File Uploads

In livewire/livewire prior to v2.12.7 and v3.5.2, the file extension of an uploaded file is guessed based on the MIME type. As a result, the actual file extension from the file name is not validated. An attacker can therefore bypass the validation by uploading a file with a valid MIME type (e.g., image/png) and a “.php” file extension. If the following criteria are met, the attacker can carry out an RCE attack:

  • Filename is composed of the original file name using $file->getClientOriginalName()
  • Files stored directly on your server in a public storage disk
  • Webserver is configured to execute “.php” files

PoC

In the following scenario, an attacker could upload a file called shell.php with an image/png MIME type and execute it on the remote server.

class SomeComponent extends Component { use WithFileUploads; #[Validate('image|extensions:png')] public $file; public function save() { $this->validate(); $this->file->storeAs( path: 'images', name: $this->file->getClientOriginalName(), options: ['disk' => 'public'], ); } }

Ссылки

Пакеты

Наименование

livewire/livewire

composer
Затронутые версииВерсия исправления

>= 3.0.0-beta.1, < 3.5.2

3.5.2

Наименование

livewire/livewire

composer
Затронутые версииВерсия исправления

< 2.12.7

2.12.7

EPSS

Процентиль: 54%
0.00307
Низкий

7.7 High

CVSS4

7.5 High

CVSS3

CVE ID

CVE-2024-47823

Дефекты

CWE-20
CWE-434

Связанные уязвимости

nvd логотип

CVE-2024-47823

CVSS3: 9.8
nvd
больше 1 года назад

Livewire is a full-stack framework for Laravel that allows for dynamic UI components without leaving PHP. In livewire/livewire prior to `2.12.7` and `v3.5.2`, the file extension of an uploaded file is guessed based on the MIME type. As a result, the actual file extension from the file name is not validated. An attacker can therefore bypass the validation by uploading a file with a valid MIME type (e.g., `image/png`) and a “.php” file extension. If the following criteria are met, the attacker can carry out an RCE attack: 1. Filename is composed of the original file name using `$file->getClientOriginalName()`. 2. Files stored directly on your server in a public storage disk. 3. Webserver is configured to execute “.php” files. This issue has been addressed in release versions `2.12.7` and `3.5.2`. All users are advised to upgrade. There are no known workarounds for this vulnerability.

fstec логотип

BDU:2025-01106

CVSS3: 8.8
fstec
больше 1 года назад

Уязвимость библиотеки Livewire PHP-фреймворка Laravel, позволяющая нарушителю выполнить произвольный код

EPSS

Процентиль: 54%
0.00307
Низкий

7.7 High

CVSS4

7.5 High

CVSS3

CVE ID

CVE-2024-47823

Дефекты

CWE-20
CWE-434