CVE-2023-53924
📋 TL;DR
This vulnerability allows authenticated attackers to upload malicious PHP files disguised as avatar images in UliCMS, leading to remote code execution. Attackers can execute arbitrary system commands by accessing the uploaded file. All UliCMS 2023.1-sniffing-vicuna installations with authenticated user access are affected.
💻 Affected Systems
- UliCMS
📦 What is this software?
Ulicms by Ulicms
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise allowing attackers to execute arbitrary commands, steal data, install backdoors, pivot to other systems, or deploy ransomware.
Likely Case
Attackers gain shell access to the web server, allowing them to read/write files, access databases, and potentially compromise the underlying operating system.
If Mitigated
With proper file upload restrictions and web application firewalls, the attack would be blocked at the upload stage or execution would be prevented.
🎯 Exploit Status
Exploit requires authenticated user credentials but is straightforward to execute once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2023.2 or later
Vendor Advisory: https://en.ulicms.de/
Restart Required: No
Instructions:
1. Update UliCMS to version 2023.2 or later. 2. Apply the patch that restricts file upload extensions. 3. Verify the fix by testing avatar upload functionality.
🔧 Temporary Workarounds
Restrict .phar file uploads
allConfigure web server or application to block .phar file uploads at the avatar upload endpoint.
# In .htaccess for Apache:
<FilesMatch "\.phar$">
Order Allow,Deny
Deny from all
</FilesMatch>
# In nginx config:
location ~ \.phar$ {
deny all;
}
Disable avatar upload functionality
allTemporarily disable user avatar uploads until patching is complete.
# Modify UliCMS configuration or code to disable avatar uploads
🧯 If You Can't Patch
- Implement strict file upload validation that only allows image extensions (jpg, png, gif) and validates file content.
- Use a web application firewall (WAF) to block requests containing .phar extensions or suspicious upload patterns.
🔍 How to Verify
Check if Vulnerable:
Check if UliCMS version is 2023.1-sniffing-vicuna and test if .phar files can be uploaded via the avatar upload feature.Check Version:
Check UliCMS admin panel or version file, or run: grep -r 'version' /path/to/ulicms/ | grep '2023'Verify Fix Applied:
After updating, attempt to upload a .phar file via avatar upload - it should be rejected. Verify version is 2023.2 or later.📡 Detection & Monitoring
Log Indicators:
- Unusual .phar file uploads in web server logs
- Multiple failed upload attempts followed by successful .phar upload
- POST requests to avatar upload endpoint with .phar files
Network Indicators:
- HTTP POST requests with .phar file uploads to avatar endpoints
- Subsequent requests to uploaded .phar files
SIEM Query:
source="web_server" AND (uri="*avatar*" AND file_extension=".phar") OR (uri="*.phar" AND referer="*avatar*")