Exploiting Livewire: CVE-2024-47823 Puts Laravel Apps at Risk

Summary: A critical vulnerability, CVE-2024-47823, has been discovered in Livewire, a Laravel framework, allowing attackers to exploit file uploads for Remote Code Execution (RCE). The flaw arises from improper validation of file extensions in versions prior to 3.5.2, enabling malicious file uploads that can be executed by the server.

Threat Actor: Unknown | unknown
Victim: Livewire users | livewire users

Key Point :

• The vulnerability allows attackers to upload files with dangerous extensions disguised as safe MIME types.
• Remote Code Execution can be achieved if the web server executes PHP files from public directories.
• The flaw was patched in Livewire version 3.5.2, which now includes stricter validation for file uploads.
• Developers are urged to update to the latest version and enhance server configurations to mitigate risks.

A newly discovered vulnerability, CVE-2024-47823, has been identified in Livewire, a popular full-stack framework for Laravel used to build dynamic UI components without leaving PHP. This security flaw, which received a CVSS score of 7.7, allows attackers to exploit file uploads and achieve Remote Code Execution (RCE) on affected systems.

Livewire simplifies the development of dynamic user interfaces by integrating seamlessly with Laravel. However, this convenience has led to a significant flaw in how Livewire handles file uploads in versions prior to v3.5.2.

In these vulnerable versions, the file extension of an uploaded file is guessed based on its MIME type rather than being validated against its actual file extension. This means an attacker can upload a file with a valid MIME type, such as image/png, but use a dangerous file extension like .php. If the system’s web server is configured to execute PHP files, this loophole opens the door for Remote Code Execution.

Security researcher Jeremy Angele, who reported the flaw, described how attackers could take advantage of the Livewire vulnerability under specific conditions:

• Filename is composed of the original file name using $file->getClientOriginalName()
• Files stored directly on your server in a public storage disk
• Webserver is configured to execute “.php” files

In a Proof of Concept (PoC) scenario, Angele demonstrated how an attacker could upload a file named shell.php with a MIME type of image/png. Upon uploading the file, the attacker can trigger its execution by accessing it via a browser, gaining remote access to the server.

class SomeComponent extends Component
{
use WithFileUploads;
#[Validate('image|extensions:png')]
public $file;
public function save()
{
$this->validate();
$this->file->storeAs(
path: 'images',
name: $this->file->getClientOriginalName(),
options: ['disk' => 'public'],
);
}
}

CVE-2024-47823 was patched in Livewire version 3.5.2. The patch includes stricter validation of file extensions during uploads, ensuring that files with mismatched MIME types and extensions are blocked.

To protect your systems, it is crucial to update to the latest version of Livewire immediately. Developers are also advised to configure their web servers to prevent PHP execution in public directories and to thoroughly validate both the MIME type and file extension during file uploads.

Related Posts:

Source: https://securityonline.info/exploiting-livewire-cve-2024-47823-puts-laravel-apps-at-risk