CVE-2022-34971
📋 TL;DR
This vulnerability allows attackers to upload arbitrary PHP files through the Advertising Management module of Feehi CMS. Attackers can achieve remote code execution by uploading malicious PHP files. All Feehi CMS v2.1.1 installations with the Advertising Management module enabled are affected.
💻 Affected Systems
- Feehi CMS
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control over the web server, allowing data theft, malware deployment, and lateral movement within the network.
Likely Case
Webshell deployment leading to website defacement, data exfiltration, and potential pivot to internal network resources.
If Mitigated
Attack blocked at web application firewall level or file upload validation prevents malicious file execution.
🎯 Exploit Status
Exploitation requires access to the Advertising Management module interface. The vulnerability is well-documented in public GitHub issues with technical details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v2.1.2 or later
Vendor Advisory: https://github.com/liufee/cms/issues/62
Restart Required: No
Instructions:
1. Backup your current installation and database. 2. Download the latest version from the official repository. 3. Replace all files except configuration files and uploads directory. 4. Verify the Advertising Management module no longer accepts PHP file uploads.
🔧 Temporary Workarounds
Disable Advertising Management Module
linuxTemporarily disable or restrict access to the vulnerable Advertising Management module
# Remove or rename the advertising module directory
mv /path/to/cms/modules/advertising /path/to/cms/modules/advertising.disabled
Web Application Firewall Rules
allBlock PHP file uploads to the advertising management endpoints
# Example ModSecurity rule: SecRule REQUEST_URI "@contains /admin/advertising" "id:1001,phase:2,deny,msg:'Block advertising module uploads'"
🧯 If You Can't Patch
- Implement strict file upload validation: only allow specific file extensions (jpg, png, pdf) and validate file content
- Configure web server to not execute PHP files in upload directories using .htaccess or nginx configuration
🔍 How to Verify
Check if Vulnerable:
Check if you can upload a PHP file through the Advertising Management module interface at /admin/advertising or similar pathCheck Version:
Check the version.php file or admin dashboard: cat /path/to/cms/version.php | grep 'version'Verify Fix Applied:
Attempt to upload a PHP file through the Advertising Management module - it should be rejected with proper validation📡 Detection & Monitoring
Log Indicators:
- PHP file uploads to advertising-related endpoints
- Unusual file uploads with .php extension
- Multiple failed upload attempts followed by successful PHP upload
Network Indicators:
- POST requests to /admin/advertising/upload with PHP file content
- Subsequent requests to uploaded PHP files in upload directories
SIEM Query:
source="web_logs" AND (uri_path="/admin/advertising/upload" AND file_extension=".php")