CVE-2021-28428
📋 TL;DR
This CVE describes a file upload vulnerability in HorizontCMS that allows attackers to bypass PHP extension restrictions by uploading .htaccess and .hello files. This enables remote code execution (RCE) on affected systems. All users running HorizontCMS versions before 1.0.0-beta.3 are affected.
💻 Affected Systems
- HorizontCMS
📦 What is this software?
Horizontcms by Horizontcms Project
Horizontcms by Horizontcms Project
Horizontcms by Horizontcms Project
Horizontcms by Horizontcms Project
Horizontcms by Horizontcms Project
Horizontcms by Horizontcms Project
Horizontcms by Horizontcms Project
Horizontcms by Horizontcms Project
Horizontcms by Horizontcms Project
Horizontcms by Horizontcms Project
Horizontcms by Horizontcms Project
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control over the web server, data exfiltration, and lateral movement within the network.
Likely Case
Webshell deployment leading to data theft, defacement, or use as a foothold for further attacks.
If Mitigated
Limited impact with proper file upload restrictions and web application firewalls in place.
🎯 Exploit Status
Exploitation requires access to upload functionality, which typically requires authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.0-beta.3 and later
Vendor Advisory: https://github.com/ttimot24/HorizontCMS/commit/9c4d6827cbe96decec6834d53660e14ab2bf8838
Restart Required: No
Instructions:
1. Update HorizontCMS to version 1.0.0-beta.3 or later. 2. Replace all existing files with the patched version. 3. Verify the fix by checking that .htaccess and .hello files cannot be uploaded.
🔧 Temporary Workarounds
Disable Media Files Upload
allTemporarily disable the Media Files upload functionality until patching is complete.
Modify application configuration to disable uploads or restrict access to upload endpoints
Web Server File Restriction
linuxConfigure web server to block execution of .hello files and restrict .htaccess file modifications.
Add to Apache .htaccess: <FilesMatch "\.hello$">
Deny from all
</FilesMatch>
Set appropriate permissions on .htaccess files
🧯 If You Can't Patch
- Implement strict file upload validation that checks file content, not just extensions.
- Deploy a web application firewall (WAF) with file upload protection rules.
🔍 How to Verify
Check if Vulnerable:
Check if HorizontCMS version is below 1.0.0-beta.3 and if Media Files upload accepts .htaccess or .hello files.Check Version:
Check HorizontCMS version in admin panel or application configuration files.Verify Fix Applied:
Attempt to upload .htaccess or .hello files through Media Files upload - should be rejected in patched versions.📡 Detection & Monitoring
Log Indicators:
- File upload attempts for .htaccess or .hello files
- Unexpected PHP execution from uploaded files
- Web server error logs showing file permission issues
Network Indicators:
- POST requests to upload endpoints with suspicious file types
- Outbound connections from web server to unknown IPs
SIEM Query:
source="web_server_logs" AND (file_extension=".hello" OR file_extension=".htaccess")