Xerte Online Toolkits Unauthenticated File Upload Vulnerability Allowing Remote Code Execution

In Xerte Online Toolkits versions through 3.14, a vulnerability exists that allows unauthenticated users to upload arbitrary files via the template import feature. This issue arises from missing authentication checks in the import endpoint, located in /website_code/php/import/import.php. Attackers can exploit this vulnerability by uploading a crafted ZIP archive, disguised as a project template, which can contain a malicious PHP payload placed in the media/ directory. Once the archive is extracted into a web-accessible USER-FILES/{projectID}--{targetFolder}/ path, the uploaded PHP file can be accessed directly, leading to remote code execution on the server.

Impact

Exploitation of this vulnerability allows for arbitrary PHP code execution, with the potential to gain persistent web shell access and compromise the hosting environment.

Reproduction

The vulnerability can be reproduced by sending a POST request to the import.php endpoint with a ZIP file that includes a malicious PHP script. The ZIP file must be structured to mimic a legitimate project template, with the PHP payload placed in the media/ directory. Once the file is uploaded and extracted, the PHP script can be accessed through the USER-FILES directory, where it will execute under the web server's permissions.