CVE-2020-36082
📋 TL;DR
CVE-2020-36082 is a critical file upload vulnerability in bloofoxCMS that allows remote attackers to upload malicious webshell files. This enables arbitrary code execution and privilege escalation on affected systems. All users running bloofoxCMS version 0.5.2.1 are vulnerable.
💻 Affected Systems
- bloofoxCMS
📦 What is this software?
Bloofoxcms by Bloofox
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full administrative control, data exfiltration, and persistent backdoor access.
Likely Case
Webshell deployment leading to website defacement, data theft, and use as attack platform for further network penetration.
If Mitigated
Limited impact with proper file upload restrictions and web application firewalls blocking malicious uploads.
🎯 Exploit Status
Simple file upload exploitation with publicly available proof-of-concept code. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: None - bloofoxCMS is no longer maintained
Vendor Advisory: https://github.com/alexlang24/bloofoxCMS/issues/7
Restart Required: No
Instructions:
1. Migrate to alternative CMS platform 2. Remove bloofoxCMS from production 3. No official patch exists as project is abandoned
🔧 Temporary Workarounds
File Upload Restriction
allImplement strict file upload validation in web server configuration
# Apache .htaccess example
<FilesMatch "\.(php|phtml|php3|php4|php5|phps|php7|php8|inc|pl|py|jsp|asp|aspx|cgi|sh|bash)$">
Order Allow,Deny
Deny from all
</FilesMatch>
# Nginx location block
location ~* \.(php|phtml|php3|php4|php5|phps|php7|php8|inc|pl|py|jsp|asp|aspx|cgi|sh|bash)$ {
deny all;
}
Web Application Firewall
allDeploy WAF with file upload protection rules
# ModSecurity rule example
SecRule FILES_TMPNAMES "@rx \.(php|phtml|php3|php4|php5|phps|php7|php8|inc|pl|py|jsp|asp|aspx|cgi|sh|bash)$" \
"id:1001,phase:2,deny,msg:'Blocked malicious file upload'"
🧯 If You Can't Patch
- Isolate bloofoxCMS instance in separate network segment with strict egress filtering
- Implement file integrity monitoring on upload directories and alert on suspicious file creations
🔍 How to Verify
Check if Vulnerable:
Check CMS version in admin panel or look for bloofoxCMS 0.5.2.1 in source codeCheck Version:
# Check for bloofoxCMS files
grep -r "bloofoxCMS" /var/www/ 2>/dev/null | grep -i versionVerify Fix Applied:
Test file upload functionality with malicious extensions - should be blocked📡 Detection & Monitoring
Log Indicators:
- File uploads with .php, .phtml, .jsp extensions
- Large POST requests to upload endpoints
- Unusual file creations in upload directories
Network Indicators:
- POST requests to /admin/upload.php or similar paths
- HTTP 200 responses after file upload attempts
SIEM Query:
source="web_logs" (method="POST" AND uri="*upload*" AND (extension="php" OR extension="phtml" OR extension="jsp" OR extension="asp"))