Arbitrary File Upload Vulnerability In PHPCMS v9.6.0
- Date Published:2017-04-13
- Last Updated:2017-04-13
- Version Affected: PHPCMS v9.6.0
PHPCMS is a web-based content management system and an open source framework running under PHP.
A severe arbitrary file upload vulnerability has been discovered in PHPCMS v9.6.0. Attackers can abuse this upload feature to upload Webshell so as to get control of the servers of the websites that have been affected.
We find that the vulnerability exists in the following file: /phpcms/libs/classes/attachment.class.php
The value that has been passed in is processed. The website takes .php as the suffix of the file, which is not verified at all. Then the file is copied and renamed directly, resulting in the file upload vulnerability.
We build a vulnerability environment to perform some tests:
First, we go to one registration module of one website, input required information into the fields, and modify src parameter to construct a malformed packet which contains Webshell, as shown below:
After the malformed packet is sent out, system returns error and also a path to upload Webshell, as shown below:
Use a Webshell connection tool to establish Webshell connection, so as to control the server of the website, as shown below:
1.Upgrade to PHPCMS v9.6.1.
Download link: http://bbs.phpcms.cn/thread-936226-1-1.html
2.For Sangfor NGAF customers, update WAF to version 20170411 or above.