ClipBucket V5 File Upload Vulnerability in Manage Playlist Functionality Allowing Remote Code Execution

A file upload vulnerability has been identified in ClipBucket V5, prior to versions 5.5.1 - 239. The issue resides in the Manage Playlist feature, specifically when uploading playlist cover images. Due to inadequate validation, an attacker can upload a PHP script disguised as an image, enabling the execution of malicious files or web shells on the server. This vulnerability is present in both the admin and low-level user areas.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where ClipBucket is hosted. In a Docker environment, this would be as the 'containeruser' user.

Reproduction

To reproduce this vulnerability, upload a PHP file as a playlist cover image through the Manage Playlist functionality. This can be done by sending a POST request to 'manage_playlists.php' or 'admin_area/manage_playlist.php' with the 'upload_playlist_cover' parameter set to '1' and the 'playlist_cover' parameter containing the PHP file payload. The 'pid' parameter can be a random number, as no playlist object needs to be created.

Remediation

Users are advised to update to ClipBucket version 5.5.1 - 239 or later. Additionally, implement server-side measures to deny PHP execution in the 'playlist_covers' directory and enforce strict image validation checks on uploaded files.