CVE-2023-47621
📋 TL;DR
Guest Entries PHP library versions before 3.1.2 allow authenticated users to upload PHP files through the front-end file upload feature, potentially leading to remote code execution on the server. This affects any website using vulnerable versions of the Guest Entries library with file uploads enabled. The vulnerability requires authenticated user access but can result in full server compromise.
💻 Affected Systems
- Guest Entries PHP library
📦 What is this software?
Guest Entries by Duncanmcclean
⚠️ Risk & Real-World Impact
Worst Case
Authenticated attacker uploads malicious PHP file, gains remote code execution, and takes full control of the web server and underlying system.
Likely Case
Authenticated user uploads PHP web shell, gains persistent access to the server, and can execute arbitrary commands, steal data, or pivot to other systems.
If Mitigated
With proper file type validation and server-side restrictions, PHP file uploads are blocked, preventing code execution while maintaining legitimate file upload functionality.
🎯 Exploit Status
Exploitation is straightforward for authenticated users - simply upload a PHP file. No special tools or advanced techniques required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.1.2
Vendor Advisory: https://github.com/duncanmcclean/guest-entries/security/advisories/GHSA-rw82-mhmx-grmj
Restart Required: No
Instructions:
1. Backup your current installation. 2. Update Guest Entries to version 3.1.2 or later via composer: 'composer update duncanmcclean/guest-entries'. 3. Verify the update completed successfully. 4. Test file upload functionality.
🔧 Temporary Workarounds
Disable file uploads
allTemporarily disable the file upload feature in Guest Entries configuration
Edit Guest Entries configuration to set 'allow_uploads' to false
Server-side file type restriction
allConfigure web server to block execution of uploaded PHP files
Add to .htaccess: <FilesMatch "\.php$"> Deny from all </FilesMatch>
Configure nginx: location ~ \.php$ { deny all; }
🧯 If You Can't Patch
- Implement strict file upload validation at application level to block PHP files
- Move uploaded files outside web root directory or configure server to not execute uploaded files
🔍 How to Verify
Check if Vulnerable:
Check composer.json or installed version: 'composer show duncanmcclean/guest-entries' and verify version is below 3.1.2Check Version:
composer show duncanmcclean/guest-entries | grep versionVerify Fix Applied:
Confirm version is 3.1.2 or higher: 'composer show duncanmcclean/guest-entries | grep version'📡 Detection & Monitoring
Log Indicators:
- PHP file uploads via Guest Entries endpoints
- Unexpected .php files in upload directories
- Web server logs showing execution of uploaded PHP files
Network Indicators:
- POST requests to upload endpoints with PHP file content
- Subsequent requests to uploaded PHP files
SIEM Query:
source="web_server" AND (uri="*upload*" AND file_extension="php") OR (uri="*.php" AND referrer="*upload*")🔗 References
- https://github.com/duncanmcclean/guest-entries/commit/a8e17b4413bfbbc337a887761a6c858ef1ddb4da
- https://github.com/duncanmcclean/guest-entries/security/advisories/GHSA-rw82-mhmx-grmj
- https://github.com/duncanmcclean/guest-entries/commit/a8e17b4413bfbbc337a887761a6c858ef1ddb4da
- https://github.com/duncanmcclean/guest-entries/security/advisories/GHSA-rw82-mhmx-grmj
