[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Jedox 2020.2.5 - Remote Code Execution via Configurable Storage Path Vulnerability

Author
Team Syslifters
Risk
[
Security Risk Critical
]
0day-ID
0day-ID-38662
Category
web applications
Date add
05-05-2023
CVE
CVE-2022-47878
Platform
php
# Exploit Title: Jedox 2020.2.5 - Remote Code Execution via Configurable Storage Path
# Exploit Author: Team Syslifters / Christoph MAHRL, Aron MOLNAR, Patrick PIRKER and Michael WEDL
# Vendor Homepage: https://jedox.com
# Version: Jedox 2020.2 (20.2.5) and older
# CVE : CVE-2022-47878


Introduction
=================
Incorrect input validation for the default storage path variable in the settings page allows remote, authenticated users to specify the location as web root directory. Consecutive file uploads can lead to the execution of arbitrary code. To exploit the vulnerability, the attacker sets the default storage path to the web root.


Write-Up
=================
See [Docs Syslifters](https://docs.syslifters.com/) for a detailed write-up on how to exploit vulnerability.


Proof of Concept
=================
1) In the UI in the application settings page the default storage path can be set to any value. This path could be set as the webroot directory of the webserver e.g. /htdocs/app/docroot/.

2) Then any upload/import function can be used to upload a .php webshell file to the webroot.

3) Execute webshell from the webroot directory to obtain RCE.

#  0day.today [2024-12-25]  #