CVE-2020-21174
📋 TL;DR
CVE-2020-21174 is a critical file upload vulnerability in liufee CMS v2.0.7.1 that allows remote attackers to upload malicious files disguised as images, leading to arbitrary code execution. This affects all systems running the vulnerable version of liufee CMS, potentially compromising the entire web server.
💻 Affected Systems
- liufee CMS
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise with attacker gaining full control over the web server, data exfiltration, and lateral movement to other systems.
Likely Case
Webshell deployment leading to website defacement, data theft, and further exploitation of the server environment.
If Mitigated
Attack blocked at web application firewall level with no file uploads reaching the server.
🎯 Exploit Status
The GitHub issue shows exploitation details and the vulnerability is straightforward to exploit with basic web penetration testing tools.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v2.0.7.2 or later
Vendor Advisory: https://github.com/liufee/cms/issues/44
Restart Required: No
Instructions:
1. Backup current installation. 2. Download latest version from official repository. 3. Replace vulnerable files with patched version. 4. Verify file upload functionality works correctly.
🔧 Temporary Workarounds
File Upload Restriction
allImplement strict file upload validation on web server level
# For Apache: Add to .htaccess
<FilesMatch "\.(php|phtml|php3|php4|php5|phps|pl|py|jsp|asp|sh|cgi)$">
Order Allow,Deny
Deny from all
</FilesMatch>
# For Nginx: Add to server block
location ~ \.(php|phtml|php3|php4|php5|phps|pl|py|jsp|asp|sh|cgi)$ {
deny all;
}
WAF Rule Implementation
allDeploy web application firewall rules to block malicious file uploads
# ModSecurity rule example
SecRule FILES_TMPNAMES "@rx \.(php|phtml|php3|php4|php5|phps|pl|py|jsp|asp|sh|cgi)$" \
"id:1001,phase:2,deny,msg:'Malicious file upload attempt'"
🧯 If You Can't Patch
- Disable file upload functionality completely in liufee CMS configuration
- Implement strict file type validation at the application level before any file processing
🔍 How to Verify
Check if Vulnerable:
Check if liufee CMS version is 2.0.7.1 by examining version files or admin panelCheck Version:
grep -r "version.*2.0.7.1" /path/to/liufee-cms/ || cat /path/to/liufee-cms/version.txtVerify Fix Applied:
Attempt to upload a file with double extension (e.g., test.php.jpg) - should be rejected📡 Detection & Monitoring
Log Indicators:
- Multiple failed file upload attempts
- Uploads with suspicious file extensions
- Large number of POST requests to upload endpoints
Network Indicators:
- POST requests to /admin/upload or similar endpoints with executable file extensions
- Unusual outbound connections from web server after file upload
SIEM Query:
source="web_logs" AND (uri="*upload*" AND (file_ext="php" OR file_ext="jsp" OR file_ext="asp" OR file_ext="pl" OR file_ext="py"))