Monstra CMS Arbitrary File Upload Vulnerability in Files Manager Plugin Allowing Remote Code Execution

An arbitrary file upload vulnerability has been identified in Monstra CMS version 3.0.4, specifically within the Files Manager plugin. The vulnerability arises from the plugin's reliance on a blacklist approach to file extension validation, allowing harmful files to be uploaded and executed as code. Uploaded files are stored in a directory accessible via the web, and under typical server configurations, this can lead to remote code execution.

Impact

Exploitation of this vulnerability allows for arbitrary execution of PHP code through uploaded web shells. Additionally, it could lead to privilege escalation from an admin user to full server compromise.

Reproduction

To reproduce this vulnerability, upload a file through the Files Manager plugin that bypasses the weak blacklist validation. This can be done by using a filename that includes double extensions, such as '.php.jpg', or by manipulating the case of the file extension. Once the file is uploaded, it can be accessed via the web and executed, resulting in remote code execution on the server.

Remediation

Users are advised to disable the Files Manager plugin, whitelist allowed file extensions, rename uploads to a unique format, store files outside the web root, and consider migrating to a maintained content management system.