Miggo Logo

CVE-2021-44673: Unrestricted Upload of File with Dangerous Type in Croogo

8.8

CVSS Score
3.1

Basic Information

EPSS Score
0.87162%
Published
3/11/2022
Updated
9/20/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
croogo/croogocomposer<= 3.0.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability occurs in the admin/file-manager/attachments/add endpoint, which maps to the add() method in the AttachmentsController. The exploit demonstrates that arbitrary PHP files can be uploaded and executed, indicating insufficient file type validation in the upload handling logic. In CakePHP-based applications like Croogo, controller actions like add() typically process form submissions, including file uploads. The lack of proper file extension/MIME type checks in this method allows dangerous file types to be stored in web-accessible directories, leading to RCE.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* R*mot* *o** *x**ution (R**) vuln*r**ility *xists in *roo*o *.*.* vi* **min/*il*-m*n***r/*tt***m*nts, w*i** l*ts * m*li*ious us*r uplo** * w** s**ll s*ript.

Reasoning

T** vuln*r**ility o**urs in t** `**min/*il*-m*n***r/*tt***m*nts/***` *n*point, w*i** m*ps to t** `***()` m*t*o* in t** `*tt***m*nts*ontroll*r`. T** *xploit **monstr*t*s t**t *r*itr*ry `P*P` *il*s **n ** uplo**** *n* *x**ut**, in*i**tin* insu**i*i*nt