E-POINT CMS Nested Archive File Upload Vulnerability Leading to Remote Code Execution

A vulnerability exists in the E-POINT CMS file upload feature in version eagle.gsam-1169.1. The issue arises because the application improperly validates nested ZIP archives. An attacker can upload a ZIP file containing another ZIP file, where the inner archive holds an executable file, such as a web shell. When the application extracts these nested archives, the executable may be placed in a directory accessible via the web. This flaw can result in remote code execution, data disclosure, account compromise, or further system compromise, depending on the privileges of the web server or process.

Impact

Exploitation of this vulnerability allows for arbitrary file uploads to the server, bypassing file type restrictions. It could lead to remote code execution if the server is configured to execute files from the upload directory. Additionally, there is a risk of privilege escalation or unauthorized data exposure.

Reproduction

To reproduce this vulnerability, create a ZIP file (outer.zip) containing another ZIP file (inner.zip) that includes a disallowed file type, such as a PHP file. Upload outer.zip through the E-POINT CMS file manager. After the upload, manually extract the archive using the CMS file manager's ZIP extraction function. The disallowed file will appear on the server, demonstrating the vulnerability.

Remediation

E-POINT CMS users should ensure that all nested archives are thoroughly inspected before extraction. It is recommended to reject multi-layered archives unless explicitly required, enforce file extension and MIME type validation after extraction, and prevent extraction into web-accessible directories.