CVE-2022-27131
📋 TL;DR
This vulnerability allows attackers to upload arbitrary PHP files to zbzcms v1.0 through the /zbzedit/php/zbz.php endpoint. Successful exploitation enables remote code execution, potentially giving attackers full control of affected systems. All users running zbzcms v1.0 are affected.
💻 Affected Systems
- zbzcms
📦 What is this software?
Zbzcms by Zbzcms
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full administrative access, data theft, lateral movement, and persistent backdoor installation.
Likely Case
Web server compromise leading to website defacement, data exfiltration, and use as a foothold for further attacks.
If Mitigated
Attack blocked at web application firewall level with no file uploads reaching vulnerable endpoint.
🎯 Exploit Status
Simple file upload vulnerability with publicly available proof-of-concept. No authentication required to exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None known
Restart Required: No
Instructions:
No official patch available. Consider migrating to alternative CMS or implementing workarounds.
🔧 Temporary Workarounds
Block vulnerable endpoint
allAdd web server configuration to block access to /zbzedit/php/zbz.php
# Apache: Add to .htaccess or virtual host config
<Location "/zbzedit/php/zbz.php">
Order deny,allow
Deny from all
</Location>
# Nginx: Add to server block
location /zbzedit/php/zbz.php {
deny all;
return 403;
}
Restrict PHP file uploads
linuxConfigure web server to reject PHP file uploads to the vulnerable directory
# Apache: Add to .htaccess in zbzedit/php directory
<FilesMatch "\.(php|phtml|php3|php4|php5|php7)$">
Order allow,deny
Deny from all
</FilesMatch>
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block file uploads to /zbzedit/php/zbz.php
- Remove or rename the zbzedit directory entirely if not required for functionality
🔍 How to Verify
Check if Vulnerable:
Attempt to upload a PHP file to http://[target]/zbzedit/php/zbz.php. If successful, system is vulnerable.Check Version:
Check CMS version in admin panel or look for version indicators in source code/commentsVerify Fix Applied:
Attempt the same upload after implementing workarounds - should receive 403 error or upload failure.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /zbzedit/php/zbz.php with file uploads
- Unusual file creation in web directories with .php extension
- Web server error logs showing blocked upload attempts after mitigation
Network Indicators:
- POST requests to vulnerable endpoint with multipart/form-data containing PHP files
- Subsequent requests to newly uploaded PHP files
SIEM Query:
source="web_server" AND (uri="/zbzedit/php/zbz.php" OR filename="*.php") AND http_method="POST"