EasyImages File Rename Vulnerability in Filer.php Component Allowing Arbitrary Code Execution

A vulnerability allowing arbitrary file renaming has been identified in the EasyImages application, specifically in version 2.0 prior to 2.8.6. This issue resides within the admin filer.php component, where attackers with administrator privileges can execute arbitrary code by injecting a crafted payload into an uploaded file name. The vulnerability is exploited by uploading a malicious SVG file containing a web shell, then tricking an administrator into renaming the file to a PHP script, which is subsequently executed on the server.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where EasyImages is hosted.

Reproduction

To reproduce this vulnerability, first upload a normal image file, such as a PNG, and append a web shell script to the end of the file. Rename the file extension to SVG to prevent damage from image compression during the upload process. After uploading the file, obtain its URL and construct a payload link that uses the rename action in the filer.php component to change the file extension from SVG to PHP, effectively enabling the execution of the web shell on the server.