CVE-2023-37152
📋 TL;DR
CVE-2023-37152 is an unauthenticated arbitrary file upload vulnerability in Projectworlds Online Art Gallery Project 1.0. Attackers can upload malicious files via adminHome.php without authentication, potentially leading to remote code execution. Note: This vulnerability has been disputed as invalid by some sources.
💻 Affected Systems
- Projectworlds Online Art Gallery Project
📦 What is this software?
Online Art Gallery by Online Art Gallery Project
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via remote code execution, allowing attackers to execute arbitrary commands, steal data, install malware, or pivot to other systems.
Likely Case
Webshell deployment leading to data theft, defacement, or use as a foothold for further attacks.
If Mitigated
File upload attempts blocked or logged, with no successful exploitation.
🎯 Exploit Status
Multiple public exploit scripts and detailed write-ups exist. The vulnerability requires no authentication and minimal technical skill to exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None available
Restart Required: No
Instructions:
No official patch exists. Consider removing or replacing the software entirely.
🔧 Temporary Workarounds
Restrict File Uploads
allImplement strict file upload validation including file type checking, size limits, and content scanning.
# Modify adminHome.php to add file validation
# Example PHP code:
$allowed_types = ['jpg', 'jpeg', 'png', 'gif'];
$file_extension = strtolower(pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION));
if (!in_array($file_extension, $allowed_types)) {
die('Invalid file type');
}
Disable adminHome.php Access
allBlock or remove access to the vulnerable adminHome.php endpoint.
# Apache .htaccess:
<Files "adminHome.php">
Order Deny,Allow
Deny from all
</Files>
# Nginx config:
location ~ /adminHome\.php$ {
deny all;
return 403;
}
🧯 If You Can't Patch
- Implement a web application firewall (WAF) with rules to block arbitrary file uploads
- Isolate the application in a restricted network segment with no internet access
🔍 How to Verify
Check if Vulnerable:
Attempt to upload a non-image file (e.g., .php, .txt) to adminHome.php without authentication. If successful, the system is vulnerable.Check Version:
# Check project version in source files or documentation
# Typically found in README files or configuration filesVerify Fix Applied:
Test the same file upload attempt after implementing controls - it should be rejected with proper error messages.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to adminHome.php
- POST requests to adminHome.php with file uploads
- Execution of unexpected PHP files in upload directories
Network Indicators:
- HTTP POST requests to /adminHome.php with file upload content
- Subsequent requests to uploaded files in upload directories
SIEM Query:
source="web_logs" AND (uri="/adminHome.php" AND method="POST" AND size>100000) OR (uri CONTAINS "/uploads/" AND extension IN ("php", "jsp", "asp"))🔗 References
- https://github.com/Trinity-SYT-SECURITY/arbitrary-file-upload-RCE/blob/main/Online%20Art%20gallery%20project%201.0.md
- https://www.chtsecurity.com/news/ad3cee07-3e35-45c0-97f9-811cce13dda9
- https://www.chtsecurity.com/news/afe25fb4-55ac-45d9-9ece-cbc1edda2fb2%20
- https://www.exploit-db.com/exploits/51524
- https://github.com/Trinity-SYT-SECURITY/arbitrary-file-upload-RCE/blob/main/Online%20Art%20gallery%20project%201.0.md
- https://www.chtsecurity.com/news/ad3cee07-3e35-45c0-97f9-811cce13dda9
- https://www.chtsecurity.com/news/afe25fb4-55ac-45d9-9ece-cbc1edda2fb2%20
- https://www.exploit-db.com/exploits/51524
