Posts Rukovoditel - Login Page Configuration | RCE - CVE-2020-11815

Rukovoditel - Login Page Configuration | RCE - CVE-2020-11815

Version: 2.5.2

Vulnerability: File Upload

CVE: CVE-2020-11815

CVSS 3.x Base Score9.8 CRITICAL

Rukovoditel is a free web-based open-source project management application. A far cry from traditional applications, Rukovoditel gives users a broader and extensive approach to project management. Its customization options allow users to create additional entities, modify and specify the relationship between them, and generate the necessary reports. The platform enables users to craft their own application that is specifically tailored for their activity (CRM, ERP, HRM, WMS, etc.).

In Rukovoditel V2.5.2, attackers can upload arbitrary file to the server just changing the content-type. As a result of that, attacker can execute command on the server.

As you can see below, attacker may change the Content-Type as a image/gif to be able to upload arbitrary file into the server. Other file upload parts in the application are encrypting file name and upload with this name into the server but this security prevention mechanism don’t used in this page.

This post is licensed under CC BY 4.0 by the author.