GiongfNef
Search
⌃K

CVE-2023-5311

Note : A JOURNEY TO GAIN KNOWLEDGE
Missing Authorization to .htaccess File lead to RCE

Description

The minimum permission that a subscriber should have typically doesn't include the ability to upload or overwrite files like .htaccess. However, if there is a vulnerability or misconfiguration that allows a subscriber to perform such actions, it could potentially lead to a successful Remote Code Execution (RCE) attack on the server.

Analysis

  • In the register function, using any of the three different methods, we can completely upload the .htaccess file by utilizing one of the parameters: htaccess_root, htaccess_includes, and htaccess_content.
if (!empty($_POST['save_root'])) {
if (isset($_POST['wp_extra']['htaccess_root'])) {
$htaccess_root = trim(stripslashes($_POST['wp_extra']['htaccess_root']));
if ($htaccess_root) {
@file_put_contents($path_root, $htaccess_root);
}
if (!empty($_POST['save_content'])) {
if (isset($_POST['wp_extra']['htaccess_content'])) {
$htaccess_content = trim(stripslashes($_POST['wp_extra']['htaccess_content']));
if ($htaccess_content) {
if (!file_exists($path_content)) {
@file_put_contents($path_content, $htaccess_content);
}
} else {
unlink($path_content);
}
}
}
if (!empty($_POST['save_includes'])) {
if (isset($_POST['wp_extra']['htaccess_includes'])) {
$htaccess_includes = trim(stripslashes($_POST['wp_extra']['htaccess_includes']));
if ($htaccess_includes) {
if (!file_exists($path_includes)) {
@file_put_contents($path_includes, $htaccess_includes);
}
} else {
unlink($path_includes);
}
}
}

POC

Despite being blacklisted, it is still possible to configure the .htaccess file to treat this file extension as executable, similar to a regular PHP file, enabling Remote Code Execution (RCE) to be performed.
​
Thanks for reading, have a nice day
❤️
​