7
[webapps] Jedox 2020.2.5 - Remote Code Execution via Configurable Storage Path
source link: https://www.exploit-db.com/exploits/51426
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Jedox 2020.2.5 - Remote Code Execution via Configurable Storage Path
# Exploit Title: Jedox 2020.2.5 - Remote Code Execution via Configurable Storage Path
# Date: 28/04/2023
# Exploit Author: Team Syslifters / Christoph MAHRL, Aron MOLNAR, Patrick PIRKER and Michael WEDL
# Vendor Homepage: https://jedox.com
# Version: Jedox 2020.2 (20.2.5) and older
# CVE : CVE-2022-47878
Introduction
=================
Incorrect input validation for the default storage path variable in the settings page allows remote, authenticated users to specify the location as web root directory. Consecutive file uploads can lead to the execution of arbitrary code. To exploit the vulnerability, the attacker sets the default storage path to the web root.
Write-Up
=================
See [Docs Syslifters](https://docs.syslifters.com/) for a detailed write-up on how to exploit vulnerability.
Proof of Concept
=================
1) In the UI in the application settings page the default storage path can be set to any value. This path could be set as the webroot directory of the webserver e.g. /htdocs/app/docroot/.
2) Then any upload/import function can be used to upload a .php webshell file to the webroot.
3) Execute webshell from the webroot directory to obtain RCE.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK