e107 CMS File Upload Vulnerability Allowing Remote Code Execution

A file upload vulnerability has been identified in e107 CMS version 3.2.1. This vulnerability allows authenticated administrative users to bypass upload restrictions and execute PHP files. By manipulating the upload URL parameter, attackers can upload malicious PHP files to parent directories. The vulnerability is exploited through the Media Manager import feature, enabling remote code execution.

Impact

Exploitation of this vulnerability leads to remote code execution on the server.

Reproduction

To reproduce this vulnerability, an authenticated admin user can upload a file via the Media Manager. By selecting a file type that is normally restricted, such as an SVG or PHP file, and using the import feature to upload it from a remote location, the file can be executed on the server. For example, uploading a PHP file named 'cmd.php' and then accessing it directly would demonstrate the successful execution of the uploaded code.