CVE-2021-26610 – CVE-2021-26610 is a remote code execution vulne... (How to Fix)

Q: What is the severity of CVE-2021-26610?

CVE-2021-26610 has a CVSS score of 7.2 (HIGH). CVE-2021-26610 is a remote code execution vulnerability in godomall5's file upload function that lacks proper file extension and authority validation. Attackers can upload malicious files to execute arbitrary code on affected systems. This affects all installations of godomall5 using the vulnerable move_uploaded_file function.

📋 TL;DR

CVE-2021-26610 is a remote code execution vulnerability in godomall5's file upload function that lacks proper file extension and authority validation. Attackers can upload malicious files to execute arbitrary code on affected systems. This affects all installations of godomall5 using the vulnerable move_uploaded_file function.

💻 Affected Systems

Products:

godomall5

Versions: All versions prior to patched release

Operating Systems: Any OS running godomall5

Default Config Vulnerable: ⚠️ Yes

Notes: Affects any godomall5 installation with file upload functionality enabled.

📦 What is this software?

Godomall5 by Nhn Commerce

View all CVEs affecting Godomall5 →

Godomall5 by Nhn Commerce

View all CVEs affecting Godomall5 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary commands, steal data, install malware, or pivot to other systems.

🟠

Likely Case

Webshell deployment leading to data theft, defacement, or use as a foothold for further attacks.

🟢

If Mitigated

Limited impact with proper file upload restrictions and web application firewalls in place.

🌐 Internet-Facing: HIGH - Web applications with file upload functionality are directly exposed to internet attacks.

🏢 Internal Only: MEDIUM - Internal users could exploit this, but attack surface is smaller than internet-facing systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple file upload bypass techniques can be used to exploit this vulnerability without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor advisory for specific patched version

Vendor Advisory: https://www.boho.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=36304

Restart Required: Yes

Instructions:

1. Check vendor advisory for patched version. 2. Backup current installation. 3. Apply vendor-provided patch. 4. Restart web server. 5. Verify fix implementation.

🔧 Temporary Workarounds

File Upload Restriction

all

Implement strict file type validation and extension whitelisting

# Configure web server to only allow specific file types
# Example Apache: <FilesMatch "\.(php|phtml|phar)$">
#   Deny from all
# </FilesMatch>

Web Application Firewall Rules

all

Block suspicious file upload patterns

# WAF rule to block file uploads with executable extensions
# Example ModSecurity: SecRule FILES_TMPNAMES "@rx \.(php|phtml|phar|exe|bat|sh)$" "deny,status:403"

🧯 If You Can't Patch

Disable file upload functionality completely in godomall5
Implement network segmentation to isolate godomall5 server from critical systems

🔍 How to Verify

Check if Vulnerable:

Test if you can upload files with executable extensions (like .php, .phtml) through godomall5's upload interface

Check Version:

Check godomall5 version in admin panel or configuration files

Verify Fix Applied:

Attempt to upload malicious files after patch - should be rejected with proper validation errors

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads with executable extensions
Multiple failed upload attempts
Webshell access patterns in access logs

Network Indicators:

POST requests to upload endpoints with suspicious file names
Outbound connections from web server to unknown IPs

SIEM Query:

source="web_logs" AND (uri="*upload*" OR uri="*move_uploaded*" OR method="POST") AND (filename="*.php" OR filename="*.phtml" OR filename="*.phar")

📊 Metadata

CVE ID: CVE-2021-26610

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-353

Published: October 27, 2021

Last Updated: November 21, 2024

🔗 References

https://www.boho.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=36304 Third Party Advisory
https://www.boho.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=36304 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-26610, you might also want to check these: