Willow CMS Unrestricted File Upload Vulnerability Leading to Remote Code Execution

A vulnerability exists in Willow CMS versions prior to 1.4.0, specifically in the 'Add Image' function within the admin panel. This vulnerability allows authenticated users, particularly those with admin privileges, to upload arbitrary files, including PHP webshells. The issue arises from inadequate file type validation, which can be bypassed by manipulating the file's header. Once the webshell is uploaded, it can be executed on the server, resulting in remote code execution.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where Willow CMS is installed, potentially leading to a complete compromise of the server. This includes unauthorized access to data, disruption of services, and the possibility of installing persistent backdoors.

Reproduction

To reproduce this vulnerability, an authenticated admin user must access the '/admin/images/add' endpoint. Afterward, a PHP file disguised as a JPEG image by altering its header can be uploaded. The server will accept the file as a valid image, and once uploaded, the PHP script can be executed by accessing the file's URL, thereby executing arbitrary commands on the server.