Security Advisory: CVE-2017-18048- Monstra CMS 3.0.4 - Arbitrary File Upload / Remote Code Execution
Severity Rating: High
Confirmed Affected Versions: 3.0.4
Vendor URL: http://monstra.org/
ExploitDB URL: https://www.exploit-db.com/exploits/43348/
SSD Advisory: https://ssd-disclosure.com/ssd-advisory-monstra-cms-rce/
Monstra is a modern and lightweight Content Management System.
SUMMARY AND IMPACT
MonstraCMS 3.0.4 allows users to upload arbitrary files which leads to a remote command execution on the remote server.
In MonstraCMS an Editor can upload files to the Monstra CMS and can access them by clicking on them from the administrator portal
During this research, I found that the Monstra CMS is allowing an user with editor privileges to upload files forbidding all types of executable files which are mentioned in monstra\plugins\box\filesmanager\filesmanager.admin.php however I was able to bypass this mitigation by simply uploading a php file with “PHP” (all in uppercase) extension which helped me to upload a shell file and execute shell commands on the server.
Thanks to the awesome article by @netbiosX
PROOF OF CONCEPT
I was not able to get the vendor to respond in any way, the software appears to have been left abandoned without support – though this is not an official status on their site (last official patch was released on 2012-11-29), the GitHub appears a bit more active (last commit from 2 years ago). The patch that addresses this bug is available here: