We recently discovered a vulnerability in Blogifier.net v2.3 that allows for unauthenticated remote code execution.

Timeline

Date Action
5/08/2019 Vulnerability discovered by Security401.
5/09/2019 Vulnerability reported to the vendor.
5/11/2019 Issue patched by the vendor.

Fix

The issue was fixed here, but please be sure to use the latest version as additional fixes have been made since this issue was discovered.

Background

Blogifier is an open source blog written in .NET Core and the suggested replacement for BlogEngine.NET.

Technical Details

The assets controller exposes a couple of endpoints that allow uploading and deleting files on the server. The endpoints below are vulnerable to path traversals, allowing an unauthenticated attacker to delete or upload files outside of the intended directories. If the application is run with elevated privileges, the damage can be significant.

POST	/api/assets/upload
DELETE	/api/assets/remove

Reproduction Steps

The path traversal vulnerability for these endpoints can be reproduced with the commands below:

curl -i -s -k -X $'DELETE' $'http://localhost/api/assets/remove?url=../shell.txt'
curl -X POST "http://localhost/api/assets/upload" \
-F 'files=@webshell.cshtml; filename=../../../webshell.cshtml'

Remote Code Execution

Depending on permissions, it is possible to overwrite an existing cshtml file to achieve code execution. In our testing, we were able to overwrite the Login.cshtml file with a slightly modified version and get a reverse shell.