CVE-2024-24399
📋 TL;DR
CVE-2024-24399 is an arbitrary file upload vulnerability in LEPTON CMS v7.0.0 that allows authenticated attackers to upload PHP files to the languages directory, leading to remote code execution. This affects any LEPTON CMS installation running version 7.0.0 with authenticated user access. Attackers can gain full control of the web server through this vulnerability.
💻 Affected Systems
- LEPTON CMS
📦 What is this software?
Leptoncms by Lepton Cms
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise allowing attackers to execute arbitrary commands, steal data, install backdoors, pivot to internal networks, and maintain persistent access.
Likely Case
Webshell deployment leading to data exfiltration, website defacement, cryptocurrency mining, or use as part of a botnet.
If Mitigated
Limited impact if file uploads are restricted, proper file type validation is implemented, and web directories have appropriate permissions.
🎯 Exploit Status
Exploit code is publicly available on Exploit-DB and Packet Storm. Attack requires authenticated access but exploitation is straightforward once credentials are obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: Not available
Restart Required: No
Instructions:
No official patch available. Upgrade to a newer version if available, or apply workarounds. Consider migrating to alternative CMS solutions.
🔧 Temporary Workarounds
Restrict file uploads in languages directory
linuxAdd .htaccess rules to prevent PHP file execution in the languages directory
echo 'php_flag engine off' > /path/to/lepton/backend/languages/.htaccess
chmod 644 /path/to/lepton/backend/languages/.htaccess
Implement file type validation
allAdd server-side validation to reject PHP file uploads in the languages upload functionality
Edit backend/languages/index.php to add: if (pathinfo($filename, PATHINFO_EXTENSION) === 'php') { die('Invalid file type'); }
🧯 If You Can't Patch
- Implement strict access controls and multi-factor authentication for backend users
- Deploy a web application firewall (WAF) with rules to block PHP file uploads to languages directory
🔍 How to Verify
Check if Vulnerable:
Check if running LEPTON CMS version 7.0.0 and examine backend/languages/index.php for proper file type validationCheck Version:
Check version.txt in LEPTON root directory or examine admin panel footerVerify Fix Applied:
Attempt to upload a PHP file to backend/languages/ - it should be rejected or not execute📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to backend/languages/ directory
- PHP file creation in languages folder
- Multiple failed upload attempts
Network Indicators:
- POST requests to backend/languages/index.php with file uploads
- Unusual outbound connections from web server
SIEM Query:
source="web_logs" AND uri="/backend/languages/index.php" AND method="POST" AND (file_extension="php" OR content_type="application/x-php")🔗 References
- https://github.com/capture0x/leptoncms
- https://github.com/capture0x/leptoncms/blob/main/README.md
- https://packetstormsecurity.com/files/176647/Lepton-CMS-7.0.0-Remote-Code-Execution.html
- https://www.exploit-db.com/exploits/51949
- https://github.com/capture0x/leptoncms
- https://github.com/capture0x/leptoncms/blob/main/README.md
- https://packetstormsecurity.com/files/176647/Lepton-CMS-7.0.0-Remote-Code-Execution.html
- https://www.exploit-db.com/exploits/51949
