CVE-2023-5311

Note : A JOURNEY TO GAIN KNOWLEDGE

Missing Authorization to .htaccess File lead to RCE

Description

The minimum permission that a subscriber should have typically doesn't include the ability to upload or overwrite files like .htaccess. However, if there is a vulnerability or misconfiguration that allows a subscriber to perform such actions, it could potentially lead to a successful Remote Code Execution (RCE) attack on the server.

Analysis

• In the register function, using any of the three different methods, we can completely upload the .htaccess file by utilizing one of the parameters: htaccess_root, htaccess_includes, and htaccess_content.

if (!empty($_POST['save_root'])) {
    if (isset($_POST['wp_extra']['htaccess_root'])) {
        $htaccess_root = trim(stripslashes($_POST['wp_extra']['htaccess_root']));
        if ($htaccess_root) {
            @file_put_contents($path_root, $htaccess_root);
        } 

if (!empty($_POST['save_content'])) {
    if (isset($_POST['wp_extra']['htaccess_content'])) {
        $htaccess_content = trim(stripslashes($_POST['wp_extra']['htaccess_content']));
        if ($htaccess_content) {
            if (!file_exists($path_content)) {
                @file_put_contents($path_content, $htaccess_content);
            }
        } else {
            unlink($path_content);
        }
    }
}

if (!empty($_POST['save_includes'])) {
    if (isset($_POST['wp_extra']['htaccess_includes'])) {
        $htaccess_includes = trim(stripslashes($_POST['wp_extra']['htaccess_includes']));
        if ($htaccess_includes) {
            if (!file_exists($path_includes)) {
                @file_put_contents($path_includes, $htaccess_includes);
            }
        } else {
            unlink($path_includes);
        }
    }
}

POC

Despite being blacklisted, it is still possible to configure the .htaccess file to treat this file extension as executable, similar to a regular PHP file, enabling Remote Code Execution (RCE) to be performed.

Thanks for reading, have a nice day ❤️