CVE-2021-34128
📋 TL;DR
CVE-2021-34128 is an arbitrary file upload vulnerability in LaikeTui e-commerce software that allows authenticated attackers to upload ZIP archives containing PHP files, leading to remote code execution. This affects LaikeTui version 3.5.0 specifically. Attackers can execute arbitrary PHP code on the server with the privileges of the web application.
💻 Affected Systems
- LaikeTui
📦 What is this software?
Laiketui by Laiketui
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise allowing attackers to execute arbitrary commands, steal data, install backdoors, pivot to internal networks, and maintain persistent access.
Likely Case
Attackers upload web shells to gain control of the web server, deface websites, steal customer data, and use the server for further attacks.
If Mitigated
With proper file upload validation and web application firewalls, exploitation attempts are blocked and logged for investigation.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward via web interface. Public proof-of-concept demonstrates the attack vector clearly.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 3.5.0
Vendor Advisory: https://github.com/bettershop/LaikeTui/issues/8
Restart Required: No
Instructions:
1. Upgrade LaikeTui to version newer than 3.5.0. 2. Verify the patch by checking that ZIP uploads no longer accept PHP files. 3. Test the payment module functionality.
🔧 Temporary Workarounds
File Upload Restriction
allImplement server-side validation to block PHP file uploads via ZIP archives
Modify upload validation in index.php to reject .php extensions in ZIP files
Access Control
allRestrict access to the vulnerable endpoint index.php?module=system&action=pay
Add IP whitelisting or additional authentication to the payment upload endpoint
🧯 If You Can't Patch
- Implement web application firewall rules to block requests containing 'phpinfo.php' or suspicious ZIP upload patterns
- Disable the payment module upload functionality entirely if not required for business operations
🔍 How to Verify
Check if Vulnerable:
Test if authenticated users can upload ZIP files containing .php files via the payment module endpointCheck Version:
Check LaikeTui version in admin panel or configuration filesVerify Fix Applied:
Attempt to upload a ZIP containing a PHP file and verify it's rejected or the PHP file cannot be executed📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to index.php?module=system&action=pay with ZIP uploads
- File uploads containing .php extensions
- Execution of unexpected PHP files in web directories
Network Indicators:
- Unusual outbound connections from web server following ZIP uploads
- Traffic patterns suggesting web shell communication
SIEM Query:
source="web_logs" AND (uri="*module=system*action=pay*" AND method="POST") AND (file_extension=".php" OR file_type="zip")