CVE-2021-32630 – This vulnerability allows authenticated users w... (How to Fix)

Q: What is the severity of CVE-2021-32630?

CVE-2021-32630 has a CVSS score of 9.6 (CRITICAL). This vulnerability allows authenticated users with upload permissions in Admidio to execute arbitrary PHP code on the server by uploading malicious .phar files. The attacker can achieve remote code execution (RCE) and potentially gain full control of the affected system. Organizations using vulnerable versions of Admidio with user upload functionality enabled are affected.

📋 TL;DR

This vulnerability allows authenticated users with upload permissions in Admidio to execute arbitrary PHP code on the server by uploading malicious .phar files. The attacker can achieve remote code execution (RCE) and potentially gain full control of the affected system. Organizations using vulnerable versions of Admidio with user upload functionality enabled are affected.

💻 Affected Systems

Products:

Admidio

Versions: All versions before 4.0.4

Operating Systems: All platforms running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the Documents & Files upload feature to be enabled and users with upload permissions.

📦 What is this software?

Admidio by Admidio

View all CVEs affecting Admidio →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise leading to data theft, lateral movement, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Unauthorized access to sensitive user data, website defacement, or use of server resources for malicious activities.

🟢

If Mitigated

Limited impact if proper file extension filtering is implemented, though other attack vectors may still exist.

🌐 Internet-Facing: HIGH - Web applications with upload functionality are directly accessible from the internet.

🏢 Internal Only: MEDIUM - Internal users with upload permissions could exploit this, but requires authenticated access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated user with upload permissions. The technique of renaming PHP shells to .phar extensions is well-documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.0.4

Vendor Advisory: https://github.com/Admidio/admidio/security/advisories/GHSA-xpqj-67r8-25j2

Restart Required: No

Instructions:

1. Backup your Admidio installation and database. 2. Download Admidio version 4.0.4 or later from the official repository. 3. Replace all files with the new version, preserving your configuration files. 4. Verify the installation works correctly.

🔧 Temporary Workarounds

Block .phar file uploads

all

Add .phar to the list of blocked file extensions in Admidio's upload configuration.

Edit Admidio configuration to add 'phar' to the list of prohibited file extensions in the upload settings.

Disable file upload feature

all

Temporarily disable the Documents & Files upload functionality until patching can be completed.

Disable the upload feature through Admidio's admin interface or by modifying configuration files.

🧯 If You Can't Patch

Implement strict file extension filtering to block .phar and other executable file types
Restrict upload permissions to only trusted administrators

🔍 How to Verify

Check if Vulnerable:

Check your Admidio version in the admin panel or by examining the version.php file. If version is below 4.0.4, you are vulnerable.

Check Version:

Check the version.php file or admin dashboard for version information.

Verify Fix Applied:

After updating, verify the version shows 4.0.4 or higher and test that .phar files cannot be uploaded.

📡 Detection & Monitoring

Log Indicators:

Uploads of .phar files in web server logs
Unusual PHP execution patterns
File uploads from authenticated users with suspicious filenames

Network Indicators:

Outbound connections from web server to unknown IPs after file uploads
Unusual HTTP requests to uploaded files

SIEM Query:

web_access_logs WHERE uri CONTAINS '.phar' OR filename CONTAINS '.phar'

📊 Metadata

CVE ID: CVE-2021-32630

CVSS v3 Score: 9.6 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

CWE: CWE-434

Published: May 20, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/Admidio/admidio/issues/994 Third Party Advisory
https://github.com/Admidio/admidio/releases/tag/v4.0.4 Release Notes,Third Party Advisory
https://github.com/Admidio/admidio/security/advisories/GHSA-xpqj-67r8-25j2 Exploit,Third Party Advisory
https://github.com/Admidio/admidio/issues/994 Third Party Advisory
https://github.com/Admidio/admidio/releases/tag/v4.0.4 Release Notes,Third Party Advisory
https://github.com/Admidio/admidio/security/advisories/GHSA-xpqj-67r8-25j2 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-32630, you might also want to check these: