laravel-admin is administrative interface builder for laravel which can help you build CRUD backends just with few lines of code.

There is a problem in larravel-admin that allows attackers to bypass file upload restrictions, and attackers can upload files in *. php format for remote code execution.

Suggested description

An arbitrary file upload vulnerability in laravel-admin v1.8.19 allows attackers to execute arbitrary code via a crafted PHP file.

VulnerabilityType Other

File Upload

Vendor of Product

https://github.com/z-song/laravel-admin

Affected Product Code Base

laravel-admin - v1.8.19

Affected Component

There is a problem in larravel-admin that allows attackers to bypass file upload restrictions, and attackers can upload files in *. php format for remote code execution.

Attack Type

Remote

Impact Code execution

true

Details

After logging in to the larravel-admin background, going to the “user settings” (“用户设置”) interface, try to modify the user’s avatar and save it, and then capture the requested data packet.

You can try to upload a php file ending in. jpg extended
Try to modify avatar
Try to modify avatar

Upload .jpg file
Upload .jpg file

After the upload is successful, replay the request and modify the file name of the file upload to “. php”.

e.g.: php.jpg.php

Replay the request
Replay the request
Upload succeeded
Upload succeeded

Refresh the user setting interface, prompt that the upload was successful, and you can get the address of the php file below.
PHP file is executed
PHP file is executed

The vulnerability affects the latest version of laravel-admin (v1.8.19).

Others

CVE ID: CVE-2023-24249

Github: https://github.com/z-song/laravel-admin

Official website: https://laravel-admin.org/

Issues page: https://github.com/z-song/laravel-admin/issues/5726