Cockpit CMS Arbitrary File Rename Vulnerability Leading to Code Execution

A vulnerability exists in Cockpit CMS versions through 2.13.5, specifically within the Buckets component. The issue arises in the file type validation process, where the extension filter can be bypassed by appending certain characters to the filename. This flaw allows an authenticated attacker to rename files with a .php extension, facilitating the execution of arbitrary code on the server.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server where Cockpit CMS is running.

Reproduction

To reproduce this vulnerability, log into Cockpit CMS as an authenticated user. Upload a file with a supported extension, such as .txt, to the Buckets module. Once the file is uploaded, use the rename function to change the file's extension to .php, appending './' to bypass the extension check. After renaming the file, access it through the web server to execute the PHP code, confirming the successful exploitation of the vulnerability.

Remediation

Users are advised to update Cockpit CMS to version 2.14.0, which addresses this vulnerability.