CVE-2020-20670
📋 TL;DR
This vulnerability allows attackers to upload arbitrary HTML files to the ZKEACMS admin media upload endpoint, which can lead to remote code execution. Attackers can craft malicious HTML files that execute code on the server when accessed. Organizations running ZKEACMS V3.2.0 are affected.
💻 Affected Systems
- ZKEACMS
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands, steal data, install backdoors, or pivot to other systems.
Likely Case
Webshell deployment leading to data theft, defacement, or use as a foothold for further attacks.
If Mitigated
File upload blocked or sanitized, preventing malicious file execution.
🎯 Exploit Status
Exploitation requires admin credentials to access the upload endpoint. Once authenticated, uploading malicious HTML files is straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: V3.2.1 or later
Vendor Advisory: https://github.com/yilezhu/Czar.Cms/issues/6
Restart Required: Yes
Instructions:
1. Backup current installation. 2. Download and install ZKEACMS V3.2.1 or later. 3. Restart the web application service. 4. Verify the fix by testing file upload functionality.
🔧 Temporary Workarounds
Restrict file upload types
allConfigure web server or application to only allow specific safe file types (images, documents) and block HTML file uploads.
# Configure in web.config or application settings to restrict .html, .htm, .xhtml uploads
Disable admin media upload endpoint
allTemporarily disable or restrict access to /admin/media/upload endpoint.
# Use web server rewrite rules or application firewall to block access to vulnerable path
🧯 If You Can't Patch
- Implement strict file upload validation that checks file extensions and content types, rejecting HTML files.
- Deploy a web application firewall (WAF) with rules to detect and block malicious file upload attempts.
🔍 How to Verify
Check if Vulnerable:
Check if running ZKEACMS V3.2.0 by examining version files or admin interface. Test if HTML files can be uploaded via /admin/media/upload endpoint.Check Version:
Check the version.txt file or admin dashboard for ZKEACMS version information.Verify Fix Applied:
After patching, attempt to upload an HTML file via the admin media upload endpoint - it should be rejected or sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to /admin/media/upload
- HTML file uploads from admin accounts
- Subsequent access to uploaded HTML files
Network Indicators:
- POST requests to /admin/media/upload with HTML file content
- Subsequent GET requests to uploaded HTML files
SIEM Query:
source="web_logs" AND (url_path="/admin/media/upload" AND file_extension="html")