CVE-2022-24651
📋 TL;DR
CVE-2022-24651 is an unauthenticated arbitrary file upload vulnerability in sentcms 4.0.x that allows remote attackers to upload malicious PHP files through the /user/upload/upload interface. This leads to remote code execution on the web server. All sentcms 4.0.x installations with the vulnerable upload interface accessible are affected.
💻 Affected Systems
- sentcms
📦 What is this software?
Sentcms by Sentcms
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise with attacker gaining full control over the web server, data exfiltration, lateral movement, and persistent backdoor installation.
Likely Case
Webshell deployment leading to website defacement, data theft, and further exploitation of the server environment.
If Mitigated
File uploads blocked or properly validated, preventing malicious file execution while maintaining legitimate upload functionality.
🎯 Exploit Status
Simple HTTP POST request to upload interface with malicious PHP file payload.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: sentcms 4.0.2 or later
Vendor Advisory: https://github.com/sentcms/sentcms/releases
Restart Required: No
Instructions:
1. Backup current installation. 2. Download sentcms 4.0.2 or later from official repository. 3. Replace vulnerable files with patched version. 4. Verify upload functionality is properly secured.
🔧 Temporary Workarounds
Disable vulnerable upload endpoint
allBlock access to /user/upload/upload interface via web server configuration
# Apache: RewriteRule ^/user/upload/upload - [F]
# Nginx: location ~ ^/user/upload/upload { deny all; }
Implement file upload restrictions
allAdd server-side validation to restrict uploaded file types
# In PHP configuration: upload_max_filesize = 2M
# In .htaccess: <FilesMatch "\.(php|phtml|phar)$">
Order Deny,Allow
Deny from all
</FilesMatch>
🧯 If You Can't Patch
- Implement WAF rules to block file uploads with PHP extensions
- Restrict network access to sentcms administration interfaces
🔍 How to Verify
Check if Vulnerable:
Test if /user/upload/upload endpoint accepts file uploads without authentication and allows PHP file execution.Check Version:
Check sentcms version in configuration files or admin panel.Verify Fix Applied:
Attempt to upload a PHP file to /user/upload/upload - should be rejected or properly validated.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /user/upload/upload with PHP file uploads
- Unusual file creation in upload directories
- Web server error logs showing file upload attempts
Network Indicators:
- POST requests to /user/upload/upload with file uploads
- Unusual outbound connections from web server
SIEM Query:
source="web_server" AND (uri="/user/upload/upload" AND method="POST") AND (file_extension="php" OR file_extension="phtml")