TextPattern CMS Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in TextPattern CMS version 4.8.7. This vulnerability allows authenticated attackers to execute arbitrary commands by uploading malicious PHP files through the application's file upload feature. Once a PHP shell is uploaded via the Files section in the content area, attackers can execute commands by accessing the uploaded file through the /textpattern/files/ directory, using GET parameters to pass commands to the system function.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where TextPattern CMS is hosted.

Reproduction

To reproduce this vulnerability, first log into the TextPattern CMS 4.8.7 as an authenticated user. Navigate to the 'Files' section under 'Content' and upload a PHP file containing a payload that includes the PHP 'system' function, such as a file named 'cmd.php' with the code 'system($_GET['cmd']);'. After uploading the file, access it through the '/textpattern/files/' directory, appending the filename and a 'cmd' parameter with the desired command to execute. The response will include the output of the executed command, indicating successful exploitation.