Snews CMS Unrestricted File Upload Vulnerability Allowing Remote Code Execution

A vulnerability in Snews CMS version 1.7 has been identified, allowing unrestricted file uploads. This issue enables unauthenticated attackers to upload arbitrary files, including PHP executables, to the 'snews_files' directory. The vulnerability arises from a lack of proper validation in the file upload process, particularly through the multipart form-data upload endpoint. Once a malicious PHP file is uploaded, it can be executed by accessing the file's path, leading to remote code execution.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where Snews CMS is hosted.

Reproduction

To reproduce this vulnerability, upload a PHP file through the 'snews_files' upload endpoint using multipart form-data. After the file is uploaded, it can be accessed via the 'snews_files' directory, and if it is a PHP executable, it can be executed on the server.