CVE-2021-41646
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on Sourcecodester Online Reviewer System 1.0 by uploading malicious PHP files disguised as images. Attackers can bypass the system's image upload filters to achieve Remote Code Execution (RCE). This affects all installations of Sourcecodester Online Reviewer System version 1.0.
💻 Affected Systems
- Sourcecodester Online Reviewer System
📦 What is this software?
Online Reviewer System by Online Reviewer System Project
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands, steal data, install malware, pivot to other systems, and maintain persistent access.
Likely Case
Attackers upload web shells to gain control of the web server, deface websites, steal sensitive reviewer data, and use the system as a foothold for further attacks.
If Mitigated
If proper file upload validation and web application firewalls are in place, exploitation attempts would be blocked, limiting impact to failed upload attempts.
🎯 Exploit Status
Multiple public exploit scripts are available that automate the attack. The vulnerability requires no authentication and has simple exploitation steps.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: Not available
Restart Required: No
Instructions:
No official patch exists. The vendor has not released a fixed version. Consider migrating to alternative software or implementing workarounds.
🔧 Temporary Workarounds
Implement Strict File Upload Validation
allAdd server-side validation to check file extensions, MIME types, and file signatures. Only allow specific image formats (jpg, png, gif) and reject PHP files.
Modify upload.php to include: $allowed_extensions = ['jpg', 'jpeg', 'png', 'gif'];
Add MIME type validation: $finfo = finfo_open(FILEINFO_MIME_TYPE); $mime = finfo_file($finfo, $_FILES['file']['tmp_name']);
Disable PHP Execution in Upload Directory
allConfigure web server to prevent PHP execution in the upload directory using .htaccess (Apache) or server configuration.
Apache .htaccess: RemoveHandler .php .phtml .php3 .php4 .php5 .php7
Nginx config: location ~* \.php$ { deny all; } in upload directory
🧯 If You Can't Patch
- Remove or disable the file upload functionality entirely in the application
- Implement a Web Application Firewall (WAF) with rules to block PHP file uploads and suspicious upload patterns
🔍 How to Verify
Check if Vulnerable:
Attempt to upload a PHP file with image extension (e.g., shell.php.jpg) or use a public exploit script. Check if the file executes when accessed via URL.Check Version:
Check the application's version in admin panel or readme files. The vulnerable version is specifically 1.0.Verify Fix Applied:
Test file upload with various PHP file disguises. Verify that PHP files are rejected and cannot be executed from the upload directory.📡 Detection & Monitoring
Log Indicators:
- Multiple failed upload attempts with PHP extensions
- Successful upload of files with double extensions (.php.jpg)
- Access to uploaded files with .php in the URL
Network Indicators:
- HTTP POST requests to upload endpoints with PHP file content
- Subsequent requests to uploaded PHP files
SIEM Query:
source="web_logs" AND (uri="*upload*" AND (method="POST" AND (user_agent="*curl*" OR user_agent="*wget*" OR params="*.php*")))