Sflog! CMS Arbitrary File Upload Vulnerability Leading to Remote Code Execution

An authenticated arbitrary file upload vulnerability has been identified in Sflog! CMS version 1.0. This vulnerability exists in the blog management interface, where the application allows authenticated users to upload files via manage.php. The upload mechanism does not properly validate file types, enabling the upload of PHP backdoors into a web-accessible directory. Once executed, this backdoor allows for full remote code execution on the server.

Impact

Exploitation of this vulnerability allows for arbitrary file uploads, which can be leveraged to execute malicious PHP scripts on the server, leading to full remote code execution.

Reproduction

To reproduce this vulnerability, log into the Sflog! CMS admin panel using the default credentials (admin:secret). Navigate to the blog management interface and upload a file through the provided upload mechanism. Since the file type is not properly validated, a PHP file can be uploaded as a backdoor. After the file is uploaded, it can be accessed via the web and executed, resulting in remote code execution on the server.