EasyImages Arbitrary File Rename Vulnerability Leading to Remote Code Execution

A vulnerability allowing arbitrary file renaming has been identified in the EasyImages application, specifically in version 2.0 prior to 2.8.6. This vulnerability resides in the admin/manager.php component, where attackers can execute arbitrary code by renaming a PHP file to an SVG format. The exploitation involves uploading a crafted SVG file that contains a web shell, which can then be executed on the server.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where EasyImages is hosted.

Reproduction

To reproduce this vulnerability, first upload a normal image file (such as a PNG) and append a web shell script to it. Rename the file extension to .svg to prevent damage from image compression during the upload process. Once the file is uploaded, obtain its URL and construct a payload using the admin/manager.php endpoint. This payload should include the image directory, the original SVG filename, and a new filename for the web shell (such as congsec.php). When an administrator clicks the link, the file is renamed to the specified PHP filename, allowing the attacker to execute commands via the web shell.