e107 CMS File Upload Vulnerability Allowing Arbitrary File Overwrite

A critical file upload vulnerability has been identified in e107 CMS version 3.2.1. This vulnerability allows authenticated administrators to override arbitrary server files through path traversal. It arises in the Media Manager's remote URL upload feature (image.php), where the upload_caption parameter is inadequately sanitized. Administrators can exploit this by inserting directory traversal sequences in the upload_caption field to overwrite essential system files outside the designated upload directory. This could lead to a complete compromise of the web application by allowing the replacement of configuration files, executable scripts, or other vital system components.

Impact

Exploitation of this vulnerability could result in unauthorized file overwrites, potentially allowing for the execution of malicious scripts or the modification of critical application files, leading to a full compromise of the web application.

Reproduction

To reproduce this vulnerability, an authenticated administrator can navigate to the Media Manager's upload section. By selecting the option to upload a file from a remote URL, the administrator can insert a crafted URL that includes directory traversal sequences in the upload_caption parameter. Once the file is uploaded, the traversed path can be used to overwrite sensitive files on the server.