UliCMS Remote Code Execution Vulnerability via Malicious Avatar Upload

A remote code execution vulnerability has been identified in UliCMS version 2023.1-sniffing-vicuna. This vulnerability allows authenticated users to upload PHP files with a .phar extension during the profile avatar upload process. Once the malicious file is uploaded, code execution can be triggered by accessing the file's location, which enables the execution of system commands through the crafted avatar uploads.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where UliCMS is hosted.

Reproduction

To reproduce this vulnerability, log into an account and navigate to the profile edit section. Upload a new avatar and include a PHP file with the .phar extension. Although an upload error may occur, the file is still uploaded and the location can be found in the error message. After uploading, visit the file's location to trigger the code execution.