Badaso CMS Arbitrary Code Execution Vulnerability

A vulnerability allowing arbitrary code execution has been identified in Badaso CMS version 2.9.11. The issue arises in the Media Manager, where authenticated users can upload files with embedded PHP code through the file-upload endpoint. This upload bypasses content-type validation. Once the file is accessed via its URL, the server executes the PHP payload, allowing an attacker to run arbitrary system commands and fully compromise the underlying host. This vulnerability can be exploited by embedding a backdoor within a PDF, renaming it with a .php extension, and uploading it to the application.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, with the executed code running in the context of the web server user. This could lead to a complete compromise of the host, as demonstrated by the vulnerability disclosure, where a web shell was uploaded and executed.

Reproduction

To reproduce this vulnerability, log in with an administrator account and upload a valid file, such as a PDF, through the Media Manager's file-upload feature. After the file is uploaded, note the file path provided by the application. Next, attempt to upload a malicious PHP file. The application will reject this file, indicating 'Invalid File Detected'. To bypass this restriction, add PDF magic bytes to the top of the PHP file, tricking the application into accepting it as a PDF. Once uploaded, access the file via its URL. Since the file extension is still .php, the server will execute the embedded PHP code, resulting in remote code execution.