FeehiCMS Remote Code Execution Vulnerability via Unrestricted File Upload in Ad Management

A remote code execution vulnerability has been identified in FeehiCMS version 2.1.1. This issue arises from unrestricted file uploads in the Ad Management section, allowing authenticated remote attackers to upload files that the server executes or stores in an executable location without proper validation or sanitization. Exploitation involves uploading a crafted PHP file that is subsequently executed by the application or web server.

Impact

Exploitation of this vulnerability allows authenticated remote attackers to execute arbitrary code on the server.

Reproduction

To reproduce this vulnerability, log in as a backend user and navigate to the Ad Management section. Upload a JPEG file while intercepting the request. Change the file extension from .jpeg to .php and modify the file content to include a PHP script that executes system commands. After uploading the file, observe the file path on the server. Access the uploaded file through the web server, which will execute the embedded commands, demonstrating successful exploitation.

Remediation

Implement a strict allowlist of file types, accepting only specific, necessary formats and validating them by file signature rather than extension or MIME type. Store uploaded files outside the webroot in non-executable locations, ensuring directories are mounted with 'noexec' where supported and set with permissions that disallow execution. Additionally, perform server-side content validation and sanitization, inspecting files for embedded code or scripts, normalizing and sanitizing filenames, and generating server-side names to avoid control characters or path traversal.