CVE-2021-47904
📋 TL;DR
CVE-2021-47904 is an authenticated file upload vulnerability in PhreeBooks 5.2.3 that allows attackers to upload malicious PHP files through the Image Manager. This leads to remote code execution, enabling attackers to run arbitrary commands on the server. Organizations running vulnerable PhreeBooks installations are affected.
💻 Affected Systems
- PhreeBooks
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise leading to data theft, ransomware deployment, lateral movement within the network, and persistent backdoor installation.
Likely Case
Attackers gain shell access to the server, allowing them to steal sensitive data, modify or delete files, and use the server for further attacks.
If Mitigated
With proper file upload restrictions and web application firewalls, exploitation attempts are blocked and logged for investigation.
🎯 Exploit Status
Multiple public exploits exist with simple file upload mechanisms.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.2.4 or later
Vendor Advisory: https://www.phreesoft.com/
Restart Required: No
Instructions:
1. Backup your PhreeBooks installation and database. 2. Download the latest version from the official vendor website. 3. Replace the vulnerable files with patched versions. 4. Verify the Image Manager now restricts file uploads to allowed types only.
🔧 Temporary Workarounds
Restrict File Upload Types
allModify the Image Manager to only accept image file extensions (jpg, png, gif, etc.) and reject PHP files.
Modify upload validation in the Image Manager PHP files to check file extensions and MIME types
Web Application Firewall Rules
allConfigure WAF to block file uploads containing PHP code or suspicious patterns.
Add WAF rule: Block requests with Content-Type containing 'php' or file extensions .php, .phtml, .php5, .php7
🧯 If You Can't Patch
- Disable the Image Manager functionality completely if not needed
- Implement strict file upload validation at the web server level (e.g., mod_security rules for Apache)
🔍 How to Verify
Check if Vulnerable:
Check if you can upload a file with .php extension through the Image Manager interface while authenticated.Check Version:
Check the PhreeBooks version in the admin panel or look for version files in the installation directory.Verify Fix Applied:
Attempt to upload a PHP file through the Image Manager - it should be rejected with an error message.📡 Detection & Monitoring
Log Indicators:
- File upload attempts with .php extensions in web server logs
- Unusual POST requests to Image Manager endpoints
- Execution of unexpected PHP files in web directories
Network Indicators:
- Unusual outbound connections from the web server
- Large file uploads to Image Manager endpoints
SIEM Query:
source="web_logs" AND (uri="/image_manager/upload" OR uri="*upload*") AND (file_extension=".php" OR content_type="application/x-php")