Havalite CMS Arbitrary File Upload Vulnerability Allowing Remote Code Execution

An unauthenticated arbitrary file upload vulnerability has been identified in Havalite CMS versions through 1.1.7. The issue resides in the upload.php script, where the application fails to implement proper file extension validation and authentication checks. This oversight enables remote attackers to upload malicious PHP files via a crafted multipart/form-data POST request. Once the files are uploaded, they can be accessed directly from the havalite/tmp/files/ directory, leading to remote code execution.

Impact

Exploitation of this vulnerability allows for arbitrary file uploads, which can be leveraged to execute malicious PHP code on the server, resulting in remote code execution.

Reproduction

To reproduce this vulnerability, send a POST request to the upload.php script located in the Havalite CMS directory. The request must include a file with a .php extension, disguised as a regular file type, such as an image. Once the file is uploaded, it can be accessed from the tmp/files directory, where the uploaded PHP file can be executed, leading to remote code execution.