CVE-2023-33177
📋 TL;DR
This path traversal vulnerability in Xibo CMS allows authenticated users to upload specially crafted ZIP files via the layout import function, enabling them to create files outside the intended directory. This can lead to remote code execution by uploading PHP webshells to the web root. All Xibo CMS users running vulnerable versions are affected.
💻 Affected Systems
- Xibo CMS
📦 What is this software?
Xibo by Xibosignage
Xibo by Xibosignage
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with remote code execution as webserver user, leading to data theft, lateral movement, and persistent backdoor installation.
Likely Case
Attackers upload webshells to gain persistent access, deface websites, or deploy ransomware payloads on vulnerable systems.
If Mitigated
With proper network segmentation and file integrity monitoring, impact limited to isolated web server compromise without lateral movement.
🎯 Exploit Status
Exploitation requires authenticated access but uses simple path traversal techniques
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.3.17 or 3.3.5
Vendor Advisory: https://xibosignage.com/blog/security-advisory-2023-05/
Restart Required: Yes
Instructions:
1. Backup your Xibo CMS installation and database. 2. Download the patched version (2.3.17 or 3.3.5) from official Xibo repository. 3. Follow Xibo's upgrade documentation for your version. 4. Restart web server services.
🔧 Temporary Workarounds
Disable Layout Import
allTemporarily disable the layout import functionality for all users
Restrict File Upload Permissions
linuxConfigure web server to prevent PHP execution in upload directories
# For Apache: Add to .htaccess in upload directory
<Files *.php>
Order Deny,Allow
Deny from all
</Files>
# For Nginx: Add to server block
location ~* \.php$ {
deny all;
}
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Xibo CMS from critical systems
- Enable detailed file integrity monitoring on web root and library directories
🔍 How to Verify
Check if Vulnerable:
Check Xibo CMS version in admin panel or via version file. If version is below 2.3.17 (for 2.x) or 3.3.5 (for 3.x), system is vulnerable.Check Version:
Check /web/version file or admin panel -> Help -> AboutVerify Fix Applied:
After upgrade, verify version shows 2.3.17 or 3.3.5 in admin panel. Test layout import with safe files to confirm functionality restored.📡 Detection & Monitoring
Log Indicators:
- Unusual ZIP file uploads via layout import
- PHP file creation in unexpected directories
- Webserver process spawning unexpected child processes
Network Indicators:
- Unusual outbound connections from web server
- POST requests to layout import endpoint with ZIP files
SIEM Query:
source="web_access.log" AND (uri_path="/api/layout/import" OR uri_path LIKE "%/layout/import%") AND method="POST" AND file_extension="zip"🔗 References
- https://claroty.com/team82/disclosure-dashboard
- https://github.com/xibosignage/xibo-cms/commit/1cbba380fa751a00756e70d7b08b5c6646092658
- https://github.com/xibosignage/xibo-cms/commit/45c6b53c3978639db03b63270a56f4397f49b2c9
- https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-jj27-x85q-crqv
- https://xibosignage.com/blog/security-advisory-2023-05/
- https://claroty.com/team82/disclosure-dashboard
- https://github.com/xibosignage/xibo-cms/commit/1cbba380fa751a00756e70d7b08b5c6646092658
- https://github.com/xibosignage/xibo-cms/commit/45c6b53c3978639db03b63270a56f4397f49b2c9
- https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-jj27-x85q-crqv
- https://xibosignage.com/blog/security-advisory-2023-05/
