Arbitrary File Upload Vulnerability In PHPCMS v9.6.0

  • Source:Sangfor Security Center
  • Date Published:2017-04-13
#

Summary

    A severe arbitrary file upload vulnerability has been discovered in PHPCMS v9.6.0. Attackers can abuse this upload feature to upload Webshell so as to get control of the servers of the websites that have been affected. 

    DEFINITION FROM QIANLI ENCYCLOPEDIA

    PHPCMS is a web-based content management system and an open source framework running under PHP. PHPCMS V9(V9 for short) is based on PHP5 and MYSQL, and employs OOP(Object Oriented Programming) to build infrastructure. Meanwhile, it features modular development, which enables extension of functions, maintenance of codes and secondary development, meeting requirements of all the websites. 

    VULNERABILITY ANALYSIS

    We find that the vulnerability exists in the following file: /phpcms/libs/classes/attachment.class.php

    

    The value that has been passed in is processed. The website takes .php as the suffix of the file, which is not verified at all. Then the file is copied and renamed directly, resulting in the file upload vulnerability. 

    VULNERABILITY REPRODUCTION

    We build a vulnerability environment to perform some tests: 

    First, we go to one registration module of one website, input required information into the fields, and modify src parameter to construct a malformed packet which contains Webshell, as shown below:  

    blob.png

    

    After the malformed packet is sent out, system returns error and also a path to upload Webshell, as shown below:

    blob.png

    Use a Webshell connection tool to establish Webshell connection, so as to control the server of the website, as shown below: 

    blob.png

    SOLUTION

    1.Upgrade to PHPCMS v9.6.1.

        Download link: http://bbs.phpcms.cn/thread-936226-1-1.html

    2.For Sangfor NGAF customers, update WAF to version 20170411 or above.