LibrettoCMS File Manager Unauthenticated Arbitrary File Upload Vulnerability

A vulnerability allowing unauthenticated arbitrary file uploads has been identified in LibrettoCMS versions through 1.1.7, specifically within the File Manager plugin. The issue arises because the upload handler at 'adm/ui/js/ckeditor/plugins/pgrfilemanager/php/upload.php' does not properly validate file extensions. This flaw allows attackers to upload files with deceptive extensions, which can be renamed to executable .php scripts, leading to remote code execution on the server.

Impact

Exploitation of this vulnerability allows for arbitrary file uploads, which can be leveraged to execute malicious PHP scripts on the server, resulting in unauthorized remote code execution.

Reproduction

To reproduce this vulnerability, upload a PHP shell disguised as a .doc file through the File Manager plugin's upload feature. After uploading, rename the file to a .php extension. The uploaded file can then be accessed and executed, compromising the server.