[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] CVE-2021-45040 - Laravel Media Library Pro <=2.1.6 - Arbitrary File Upload (Unauthenticated)

To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
Subject: [FD] CVE-2021-45040 - Laravel Media Library Pro <=2.1.6 - Arbitrary File Upload (Unauthenticated)
From: Kelvin Yip <kelvin@xxxxxxxxxxxxxxxxxx>
Date: Sun, 13 Mar 2022 17:13:46 +0000

Hi Team,

Here is the exploit information for CVE-2021-45040.

Below is summary of timeline for reference:

  1.  Contact developer (security contact: Freek) regarding the vulnerability 
at Mon 12/13/2021 11:42 AM (GMT+8)
  2.  Contact CERT.org at Mon 12/13/2021 10:36 PM
  3.  Submit CVE Request to Mitre at Mon 12/13/2021 11:30 PM
  4.  No response from vendor until now.
  5.  Possible solution had been documented by our research team:  
https://cybersecthreat.com/2022/03/14/cve-2021-45040/

Best,
Kelvin Yip
CyberSecThreat

# Exploit Title: Laravel Media Library Pro <=2.1.6 - Arbitrary File Upload 
(Unauthenticated)    
# Google Dork: -
# Date: Mar 13, 2022
# Exploit Author: Kelvin Yip <kelvin@xxxxxxxxxxxxxxxxxx>
# Vendor Homepage: https://spatie.be/ 
# Software Link: https://spatie.be/products/media-library-pro
# Version: <=1.17.10 & <=2.1.6
# Tested on: Laradock (PHP 8.0) inside Ubuntu 20.04
# CVE : CVE-2021-45040

#######################################################################################################
Description:

The Spatie media-library-pro library through 1.17.10 & 2.1.6 for Laravel allows 
remote attackers to upload executable files via the uploads route.

#######################################################################################################
Xploit : Arbitrary File Upload (Unauthenticated)

Default URL: http://server/api/media-library-pro/uploads OR 
http://server/media-library-pro/uploads

Note: The URL can be changed by developer. 

Upload a PHP webshell or shell file with 3 parameters: (uuid, name and file), 
the JSON response will contain â??original_urlâ??, access the URL in the 
browser to get the shell access.

#######################################################################################################
Additional Information for setup, test and solutions: 
https://cybersecthreat.com/2022/03/14/cve-2021-45040/
#######################################################################################################

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] Loki RAT (Relapse) / SQL Injection
Next by Date: [FD] RedLine.MainPanel - cracked.exe / Insecure Permissions
Previous by thread: [FD] Loki RAT (Relapse) / SQL Injection
Next by thread: [FD] RedLine.MainPanel - cracked.exe / Insecure Permissions
Index(es):
- Date
- Thread