xbtitFM Insecure File Upload Vulnerability Allowing Remote Code Execution

A vulnerability exists in xbtitFM version 4.1.18 that allows authenticated attackers with administrative rights to upload and execute arbitrary PHP code via the file_hosting feature. The vulnerability arises from inadequate file type restrictions, which can be bypassed by altering the Content-Type header to image/gif, appending GIF89a magic bytes, and using alternate PHP tags. This exploitation enables the upload of web shells that can execute system commands.

Impact

Exploitation of this vulnerability leads to unauthorized file uploads, allowing for the execution of malicious PHP scripts on the server, which can be used to execute system commands, potentially compromising the entire server.

Reproduction

To reproduce this vulnerability, first ensure that the file_hosting feature is enabled on the xbtitFM application. If it is not enabled, an administrator account can be used to activate it. Once the feature is available, upload a PHP shell by changing the file's Content-Type to image/gif and adding GIF89a magic bytes to the beginning of the file. Use alternate PHP tags to bypass restrictions on PHP files. After uploading, the web shell can be accessed through the file_hosting directory.