CVE-2023-36299
📋 TL;DR
This vulnerability allows remote attackers to upload malicious files and execute arbitrary code on Typecho v1.2.1 installations. Attackers can exploit the upload and options-general parameters in index.php to achieve remote code execution. All Typecho v1.2.1 installations with default configurations are affected.
💻 Affected Systems
- Typecho
📦 What is this software?
Typecho by Typecho
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control over the web server, data theft, lateral movement, and persistent backdoor installation.
Likely Case
Website defacement, data exfiltration, cryptocurrency mining, or ransomware deployment on vulnerable servers.
If Mitigated
Attack blocked at web application firewall level or file upload restrictions preventing malicious file execution.
🎯 Exploit Status
Public proof-of-concept code is available, making exploitation trivial for attackers with basic skills.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v1.2.2 and later
Vendor Advisory: https://github.com/typecho/typecho/releases/tag/v1.2.2
Restart Required: No
Instructions:
1. Backup your Typecho installation and database. 2. Download Typecho v1.2.2 or later from the official GitHub releases. 3. Replace all files except config.inc.php and uploads directory. 4. Verify the installation works correctly.
🔧 Temporary Workarounds
Web Application Firewall Rules
allBlock malicious file upload attempts targeting the vulnerable parameters
ModSecurity rule: SecRule ARGS "@rx upload.*options-general" "id:1001,phase:2,deny,status:403,msg:'Typecho CVE-2023-36299 exploit attempt'"
File Upload Restrictions
linuxRestrict file uploads to specific directories and file types
nginx: location ~* \.(php|phtml|php3|php4|php5|php7|phps|phar)$ { deny all; }
Apache: <FilesMatch "\.(php|phtml|php3|php4|php5|php7|phps|phar)$"> Order Deny,Allow Deny from all </FilesMatch>
🧯 If You Can't Patch
- Implement strict web application firewall rules to block exploitation attempts
- Disable file upload functionality entirely if not required for business operations
🔍 How to Verify
Check if Vulnerable:
Check Typecho version in admin panel or examine index.php file version headerCheck Version:
grep -r "define.*VERSION" /path/to/typecho/install/ | grep -o "'[^']*'"Verify Fix Applied:
Verify Typecho version is v1.2.2 or later and test file upload functionality with restricted file types📡 Detection & Monitoring
Log Indicators:
- POST requests to index.php with upload and options-general parameters
- File upload attempts with PHP or executable extensions
- Unusual file creation in upload directories
Network Indicators:
- HTTP POST requests with suspicious file upload patterns
- Outbound connections from web server to unknown IPs post-upload
SIEM Query:
source="web_logs" AND (uri_path="/index.php" AND method="POST" AND (param="upload" OR param="options-general"))