Arbitrary File Upload Vulnerability In PHPCMS v9.6.0

Summary

    PHPCMS is a web-based content management system and an open source framework running under PHP. 

    A severe arbitrary file upload vulnerability has been discovered in PHPCMS v9.6.0. Attackers can abuse this upload feature to upload Webshell so as to get control of the servers of the websites that have been affected.

    VULNERABILITY ANALYSIS

    We find that the vulnerability exists in the following file: /phpcms/libs/classes/attachment.class.php

    The value that has been passed in is processed. The website takes .php as the suffix of the file, which is not verified at all. Then the file is copied and renamed directly, resulting in the file upload vulnerability. 

    VULNERABILITY REPRODUCTION

    We build a vulnerability environment to perform some tests: 

    First, we go to one registration module of one website, input required information into the fields, and modify src parameter to construct a malformed packet which contains Webshell, as shown below:  

    blob.png

    

    After the malformed packet is sent out, system returns error and also a path to upload Webshell, as shown below:

    blob.png

    Use a Webshell connection tool to establish Webshell connection, so as to control the server of the website, as shown below: 

    blob.png

Solution

       SOLUTION

    1.Upgrade to PHPCMS v9.6.1.

        Download link: http://bbs.phpcms.cn/thread-936226-1-1.html

    2.For Sangfor NGAF customers, update WAF to version 20170411 or above.