Emlog Remote Code Execution Vulnerability via Arbitrary File Upload in REST API

A remote code execution vulnerability has been identified in Emlog versions through 2.6.1. The issue arises from the REST API upload endpoint, which lacks proper validation of file types, extensions, and content. This flaw allows authenticated attackers with a valid API key or admin session cookie to upload arbitrary files, including malicious PHP scripts, to the server. Once executed, these scripts can lead to full server compromise. The vulnerability exploitation requires an API key, obtainable by gaining administrator access or through information disclosure vulnerabilities in the application.

Impact

Exploitation of this vulnerability allows for remote code execution on the target server, leading to full server compromise.

Reproduction

To reproduce this vulnerability, an authenticated user must send a POST request to the '/index.php?rest-api=upload' endpoint, including a file named '12399227.php' in the 'file' form-data field. The file should contain PHP code, such as a script executing the 'phpinfo()' function. The request must also include a valid API key or admin session cookie.

Remediation

Users are advised to update to the latest version of Emlog, as this vulnerability has been addressed in the official repository.