Jedox 2020.2.5 - Remote Code Execution via Configurable Storage Path

EDB-ID:

51426




Platform:

PHP

Date:

2023-05-05


# Exploit Title: Jedox 2020.2.5 - Remote Code Execution via Configurable Storage Path
# Date: 28/04/2023
# Exploit Author: Team Syslifters / Christoph MAHRL, Aron MOLNAR, Patrick PIRKER and Michael WEDL
# Vendor Homepage: https://jedox.com
# Version: Jedox 2020.2 (20.2.5) and older
# CVE : CVE-2022-47878


Introduction
=================
Incorrect input validation for the default storage path variable in the settings page allows remote, authenticated users to specify the location as web root directory. Consecutive file uploads can lead to the execution of arbitrary code. To exploit the vulnerability, the attacker sets the default storage path to the web root.


Write-Up
=================
See [Docs Syslifters](https://docs.syslifters.com/) for a detailed write-up on how to exploit vulnerability.


Proof of Concept
=================
1) In the UI in the application settings page the default storage path can be set to any value. This path could be set as the webroot directory of the webserver e.g. /htdocs/app/docroot/.

2) Then any upload/import function can be used to upload a .php webshell file to the webroot.

3) Execute webshell from the webroot directory to obtain RCE.