We recently discovered a vulnerability in Blogifier.net v2.3 that allows for unauthenticated remote code execution.
Timeline
| Date | Action |
|---|---|
| 5/08/2019 | Vulnerability discovered by Security401. |
| 5/09/2019 | Vulnerability reported to the vendor. |
| 5/11/2019 | Issue patched by the vendor. |
Fix
The issue was fixed here, but please be sure to use the latest version as additional fixes have been made since this issue was discovered.
Background
Blogifier is an open source blog written in .NET Core and the suggested replacement for BlogEngine.NET.
Technical Details
The assets controller exposes a couple of endpoints that allow uploading and deleting files on the server. The endpoints below are vulnerable to path traversals, allowing an unauthenticated attacker to delete or upload files outside of the intended directories. If the application is run with elevated privileges, the damage can be significant.
POST /api/assets/upload
DELETE /api/assets/removeReproduction Steps
The path traversal vulnerability for these endpoints can be reproduced with the commands below:
curl -i -s -k -X $'DELETE' $'http://localhost/api/assets/remove?url=../shell.txt'curl -X POST "http://localhost/api/assets/upload" \
-F 'files=@webshell.cshtml; filename=../../../webshell.cshtml'Remote Code Execution
Depending on permissions, it is possible to overwrite an existing cshtml file to achieve code execution. In our testing, we were able to overwrite the Login.cshtml file with a slightly modified version and get a reverse shell.
