We recently discovered a vulnerability in Blogifier.net v2.3 that allows for unauthenticated remote code execution.
|5/08/2019||Vulnerability discovered by Security401.|
|5/09/2019||Vulnerability reported to the vendor.|
|5/11/2019||Issue patched by the vendor.|
The issue was fixed here, but please be sure to use the latest version as additional fixes have been made since this issue was discovered.
Blogifier is an open source blog written in .NET Core and the suggested replacement for BlogEngine.NET.
The assets controller exposes a couple of endpoints that allow uploading and deleting files on the server. The endpoints below are vulnerable to path traversals, allowing an unauthenticated attacker to delete or upload files outside of the intended directories. If the application is run with elevated privileges, the damage can be significant.
POST /api/assets/upload DELETE /api/assets/remove
The path traversal vulnerability for these endpoints can be reproduced with the commands below:
curl -i -s -k -X $'DELETE' $'http://localhost/api/assets/remove?url=../shell.txt'
curl -X POST "http://localhost/api/assets/upload" \ -F 'firstname.lastname@example.org; filename=../../../webshell.cshtml'
Remote Code Execution
Depending on permissions, it is possible to overwrite an existing cshtml file to achieve code execution. In our testing, we were able to overwrite the Login.cshtml file with a slightly modified version and get a reverse shell.