EmpireSoft EmpireCMS File Upload Blacklist Bypass Vulnerability

A vulnerability allowing unrestricted file uploads has been identified in EmpireSoft EmpireCMS versions through 8.0. This issue arises from an incomplete blacklist implementation in the 'CheckSaveTranFiletype' function within 'e/class/connect.php', which fails to adequately block dangerous file types such as '.htaccess' and '.user.ini'. As a result, authenticated users can upload these files, enabling remote code execution on servers running Apache or Nginx with PHP-FPM.

Impact

Exploitation of this vulnerability allows for remote code execution on the server. An authenticated user can upload a file that bypasses the application's file type restrictions, potentially leading to the execution of malicious code on the server.

Reproduction

To reproduce this vulnerability, an authenticated user can upload a file with a bypassed extension, such as '.htaccess' or '.user.ini', through the application's file upload feature. After uploading a '.htaccess' file, the user can enable PHP execution for a custom extension and then upload a web shell. Alternatively, uploading a '.user.ini' file can be used to execute PHP code on the server via Nginx with PHP-FPM.

Remediation

It is recommended to replace the current blacklist validation with a whitelist validation, allowing only specific file types to be uploaded. Additionally, the application should be updated to include dangerous file extensions, such as '.htaccess' and '.user.ini', in the blacklist.