CVE-2020-22643
📋 TL;DR
Feehi CMS 2.1.0 contains an arbitrary file upload vulnerability that allows authenticated administrators to upload malicious files. This can lead to remote code execution on the web server. Only systems running Feehi CMS 2.1.0 with administrator access are affected.
💻 Affected Systems
- Feehi CMS
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise through remote code execution, allowing attacker to steal data, install malware, or pivot to other systems.
Likely Case
Webshell deployment leading to data exfiltration, defacement, or further exploitation of the server.
If Mitigated
Limited impact if file uploads are restricted to non-executable directories with proper permissions.
🎯 Exploit Status
Exploitation requires administrator credentials but is straightforward once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.1 or later
Vendor Advisory: https://github.com/liufee/cms/issues/51
Restart Required: No
Instructions:
1. Backup your current installation. 2. Download and install Feehi CMS 2.1.1 or later. 3. Verify the update was successful.
🔧 Temporary Workarounds
Restrict file upload extensions
allConfigure web server to only allow image file extensions (jpg, png, gif) in upload directories.
# Apache: Add to .htaccess in upload directory
<FilesMatch "\.(php|php3|php4|php5|phtml|pl|py|jsp|asp|htm|html|shtml|sh|cgi)$">
Order Allow,Deny
Deny from all
</FilesMatch>
# Nginx: Add to server block
location ~* \.(php|php3|php4|php5|phtml|pl|py|jsp|asp|htm|html|shtml|sh|cgi)$ {
deny all;
}
Disable administrator image upload
allTemporarily disable the vulnerable image upload functionality in the admin panel.
# Modify CMS code to remove or disable upload functionality
🧯 If You Can't Patch
- Implement strict file upload validation on the web application layer.
- Restrict upload directory permissions to prevent execution of uploaded files.
🔍 How to Verify
Check if Vulnerable:
Check if running Feehi CMS version 2.1.0 and verify administrator image upload functionality exists.Check Version:
Check CMS admin panel or read version file in installation directory.Verify Fix Applied:
Confirm version is 2.1.1 or later and test that malicious file uploads are blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to admin image upload endpoint
- Files with executable extensions in upload directories
- Multiple failed upload attempts
Network Indicators:
- POST requests to admin upload endpoints with unusual file types
- Subsequent requests to uploaded files with executable extensions
SIEM Query:
source="web_logs" AND (uri="/admin/upload" OR uri="/admin/image/upload") AND (file_extension="php" OR file_extension="jsp" OR file_extension="asp")