Login

Register

Login

Register

#hacking | BookStack struck by RCE security bug



John Leyden

16 March 2020 at 15:20 UTC

Updated: 16 March 2020 at 15:41 UTC

App needs re-binding to guard against PHP-related security flaw

A recently patched critical vulnerability in BookStack made it possible to push malware onto vulnerable systems simply by accessing the image upload feature.

Exploit scenarios for the remote code execution vulnerability (CVE-2020-5256) in BookStack – an application for building self-hosted wikis – center on where a non-trusted user has permission to upload images into the application.

“A user could upload PHP files through image upload functions, which would allow them to execute code on the host system remotely,” an advisory posted on GitHub explains.

“They would then have the permissions of the PHP process.”

The vulnerability is resolved in BookStack version 0.25.5.

Alternatively, developers should prevent the direct execution of any PHP files by applying restrictive web server configuration settings.

READ MORE Vulnerabilities in web and app frameworks fall, but weaponization rate jumps – study



Source link

Leave a Reply

AlbanianArabicEnglishFrenchGermanRussianSpanish

National Cyber Security Consulting App

 https://apps.apple.com/us/app/id1521390354

https://play.google.com/store/apps/details?id=nationalcybersecuritycom.wpapp


nationalcybersecurity.com

FREE
VIEW