PbootCMS File Upload Vulnerability Allowing Remote Code Execution

A vulnerability exists in PbootCMS versions through 3.2.12, specifically within the file upload component. The issue arises from an incomplete blacklist in the upload validation logic, which fails to properly filter out dangerous file extensions such as .pht, .phar, .php7, .cgi, .htaccess, and .user.ini. This flaw allows authenticated attackers to upload executable files that could be executed on the server, potentially leading to remote code execution.

Impact

Exploitation of this vulnerability could result in remote code execution on the server, particularly in environments where the uploaded file is processed as executable code. Additionally, it could allow for the upload of files that are accessible via the web, or the manipulation of server behavior through uploaded .htaccess or .user.ini files.

Reproduction

To reproduce this vulnerability, authenticate as a user with access to the upload feature. Then, upload a file with a dangerous extension that is not properly filtered, such as .pht. If the server executes files with that extension, the uploaded file can be accessed directly via the web.

Remediation

It is recommended to replace the current blacklist approach with a strict allowlist of permitted file types. Additionally, uploads should be stored outside of the web root, and script execution should be disabled in upload directories.