ImpressCMS v1.4.4 - Unrestricted File Upload

vendor:

ImpressCMS

by:

Ünsal Furkan Harani (Zemarkhos)

6.1

CVSS

MEDIUM

Unrestricted File Upload

434

CWE

Product Name: ImpressCMS

Affected Version From: v1.4.4

Affected Version To: v1.4.4

Patch Exists: Yes

Related CWE: CVE-2022-1234

CPE: cpe:a:impresscms:impresscms

Metasploit:

Other Scripts:

Platforms Tested: Linux

2022

ImpressCMS v1.4.4 – Unrestricted File Upload

Between lines 152 and 162, we see the function 'extensionsToBeSanitized'. Since the blacklist method is weak, it is familiar that the file can be uploaded in the extensions mentioned below: .php2, .php6, .php7, .phps, .pht, .pgif, .shtml, .htaccess, .phar, .inc

Mitigation:

Upgrade to the latest version of ImpressCMS.

Source

Exploit-DB raw data:

# Exploit Title: ImpressCMS v1.4.4 - Unrestricted File Upload
# Date: 7/4/2022
# Exploit Author: Ünsal Furkan Harani (Zemarkhos)
# Vendor Homepage: https://www.impresscms.org/
# Software Link: https://github.com/ImpressCMS/impresscms
# Version: v1.4.4

# Description:
Between lines 152 and 162, we see the function "extensionsToBeSanitized".Since the blacklist method is weak, it is familiar that the file can be uploaded in the extensions mentioned below.

.php2, .php6, .php7, .phps, .pht, .pgif, .shtml, .htaccess, .phar, .inc

Impresscms/core/File/MediaUploader.php Between lines 152 and 162:
private $extensionsToBeSanitized = array('php','phtml','phtm','php3','php4','cgi','pl','asp','php5');