e107 CMS File Upload Vulnerability Allowing Server File Override

A file upload vulnerability has been identified in e107 CMS version 3.2.1. This vulnerability allows authenticated administrators to override server files using the Media Manager import functionality. By manipulating the upload URL parameter, administrators can replace existing files, such as top.php, in the web application directory.

Impact

Exploitation of this vulnerability allows for unauthorized file overwrites on the server, potentially leading to the execution of malicious code if the overwritten file is a PHP script.

Reproduction

To reproduce this vulnerability, an authenticated administrator can upload a file through the Media Manager. By selecting a file type that is normally restricted, such as an SVG containing JavaScript, and using the import feature to upload it to the server, the administrator can bypass the upload restrictions. Once uploaded, the SVG file can be accessed and executed, leading to a stored cross-site scripting vulnerability. Additionally, this method can be used to upload and execute PHP files by placing them in the appropriate directory.