CVE-2022-29347
📋 TL;DR
CVE-2022-29347 is an arbitrary file upload vulnerability in Web@rchiv 1.0 that allows attackers to upload malicious PHP files. This enables remote code execution on affected systems, potentially compromising the entire server. Anyone running Web@rchiv 1.0 is vulnerable.
💻 Affected Systems
- Web@rchiv
📦 What is this software?
Web\@rchiv by Web\@rchiv Project
⚠️ Risk & Real-World Impact
Worst Case
Complete server takeover with attacker gaining root/admin access, data theft, ransomware deployment, and use as pivot point for lateral movement.
Likely Case
Webshell installation leading to data exfiltration, credential harvesting, and backdoor persistence on the server.
If Mitigated
Attack blocked at web application firewall level or file upload prevented by proper input validation.
🎯 Exploit Status
Simple file upload bypass with PHP webshell. GitHub repository contains exploit code.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: Not available
Restart Required: No
Instructions:
No official patch available. Consider migrating to alternative software or implementing workarounds.
🔧 Temporary Workarounds
Restrict File Upload Extensions
allConfigure web server to block upload of .php files and other executable extensions
# In Apache .htaccess:
<FilesMatch "\.(php|php3|php4|php5|phtml|pl|cgi|exe|dll|bat|cmd|com|vb|vbs|js|jsp|asp|aspx)">
Order Allow,Deny
Deny from all
</FilesMatch>
# In Nginx config:
location ~ \.(php|php3|php4|php5|phtml|pl|cgi|exe|dll|bat|cmd|com|vb|vbs|js|jsp|asp|aspx)$ {
deny all;
}
Implement File Upload Validation
allAdd server-side validation to check file types and extensions before accepting uploads
# PHP example:
$allowed_extensions = array('jpg', 'jpeg', 'png', 'gif', 'pdf', 'txt');
$file_extension = strtolower(pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION));
if (!in_array($file_extension, $allowed_extensions)) {
die('Invalid file type');
}
🧯 If You Can't Patch
- Remove Web@rchiv 1.0 from production and replace with alternative software
- Implement strict network segmentation and isolate the vulnerable system
🔍 How to Verify
Check if Vulnerable:
Check if Web@rchiv 1.0 is installed by looking for application files or version information in web directoryCheck Version:
# Check for Web@rchiv files:
find /var/www -name "*webarchiv*" -o -name "*web@rchiv*"Verify Fix Applied:
Test file upload functionality with PHP file - should be rejected. Check web server configuration for proper file extension blocking📡 Detection & Monitoring
Log Indicators:
- File upload requests with .php extensions
- Unusual POST requests to upload endpoints
- Web server error logs showing blocked PHP file uploads
Network Indicators:
- POST requests to upload.php or similar endpoints with PHP file content
- Outbound connections from web server to unknown IPs after file upload
SIEM Query:
source="web_server_logs" AND (uri_path="*upload*" OR method="POST") AND (file_extension="php" OR user_agent="*curl*" OR user_agent="*wget*")