BuilderEngine CMS Unauthenticated Remote Code Execution Vulnerability via Unrestricted File Upload

A remote code execution vulnerability has been identified in BuilderEngine CMS version 3.5.0. This issue arises from an unrestricted file upload vulnerability, which is a result of the integration of the elFinder 2.0 file manager and the jQuery File Upload plugin. The jQuery File Upload plugin does not properly validate or restrict file types or locations during upload, allowing attackers to upload malicious PHP files. These files can then be executed on the server under the web server process's context. The vulnerability is exacerbated by BuilderEngine's improper integration and lack of access controls, exposing this flaw to unauthenticated users.

Impact

Exploitation of this vulnerability allows for arbitrary remote code execution on the server where BuilderEngine CMS is installed.

Reproduction

To reproduce this vulnerability, upload a malicious PHP file through the jQuery File Upload plugin. The file will be stored on the server, and can be accessed via the '/files/' directory, followed by the name of the uploaded file. Once accessed, the PHP code within the file will be executed on the server.

Remediation

Users are advised to configure the file upload handler to accept only specific file types, such as GIF, JPEG, and PNG. Additionally, upload features should be restricted to trusted hosts, and an .htaccess file can be used to block execution of uploaded files in untrusted directories.