CVE-2023-50104
📋 TL;DR
ZZCMS 2023 has an unauthenticated file upload vulnerability that allows attackers to upload malicious files and execute arbitrary code on the server. This affects all systems running ZZCMS 2023 with the vulnerable upload component accessible. Attackers can gain complete control of affected servers.
💻 Affected Systems
- ZZCMS
📦 What is this software?
Zzcms by Zzcms
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise leading to data theft, ransomware deployment, lateral movement within network, and persistent backdoor installation.
Likely Case
Webshell upload leading to server control, data exfiltration, and use as pivot point for further attacks.
If Mitigated
Attack blocked at WAF/web application firewall level; no successful exploitation.
🎯 Exploit Status
Simple HTTP POST request with malicious file upload; exploit code available in public repositories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Not available
Restart Required: No
Instructions:
1. Check vendor website for security updates. 2. If patch available, download and apply. 3. Remove vulnerable upload/index.php file if not needed. 4. Test functionality after changes.
🔧 Temporary Workarounds
Remove vulnerable upload endpoint
linuxDelete or restrict access to the vulnerable upload/index.php file
rm /path/to/3/E_bak5.1/upload/index.php
Implement file upload restrictions
allAdd server-side validation for file uploads (extension, MIME type, size)
🧯 If You Can't Patch
- Implement strict WAF rules to block file uploads to vulnerable endpoint
- Restrict network access to ZZCMS administration interfaces using firewall rules
🔍 How to Verify
Check if Vulnerable:
Check if file exists: /3/E_bak5.1/upload/index.php and test if it accepts file uploads without proper validation.Check Version:
Check ZZCMS version in admin panel or read version files in installation directory.Verify Fix Applied:
Attempt to upload a test file (e.g., .php file) to the endpoint; should be rejected with proper error.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /3/E_bak5.1/upload/index.php with file uploads
- Unusual file creations in upload directories
- Webshell-like file names (.php, .jsp, .asp) in upload folders
Network Indicators:
- Unusual outbound connections from web server
- Large file uploads to vulnerable endpoint
- POST requests with suspicious file extensions
SIEM Query:
source="web_logs" AND (uri="/3/E_bak5.1/upload/index.php" OR uri LIKE "%/upload/%") AND method="POST" AND (file_ext=".php" OR file_ext=".jsp" OR file_ext=".asp")