CVE-2024-40550
📋 TL;DR
This vulnerability allows attackers to upload arbitrary files to the Public CMS admin interface, which can lead to remote code execution. It affects Public CMS v.4.0.202302.e installations with the vulnerable component accessible. Attackers can compromise the entire system if they can reach the vulnerable endpoint.
💻 Affected Systems
- Public CMS
📦 What is this software?
Publiccms by Publiccms
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control over the server, data exfiltration, ransomware deployment, and lateral movement to other systems.
Likely Case
Webshell deployment leading to persistent backdoor access, data theft, and further exploitation of the compromised server.
If Mitigated
Limited impact with proper file upload restrictions and admin interface protection, potentially only file storage without execution.
🎯 Exploit Status
Exploitation requires admin credentials or authentication bypass to reach the vulnerable endpoint, then simple file upload of malicious payload.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v.4.0.202302.f or later
Vendor Advisory: https://gitee.com/sanluan/PublicCMS/issues/IAALWJ
Restart Required: Yes
Instructions:
1. Backup your current installation and database. 2. Download the latest version from the official repository. 3. Replace the vulnerable files with patched versions. 4. Restart the web server and application services.
🔧 Temporary Workarounds
Restrict Admin Access
allLimit access to the /admin/ directory to trusted IP addresses only
# Apache: <Location /admin/>
# Order deny,allow
# Deny from all
# Allow from 192.168.1.0/24
# </Location>
# Nginx: location /admin/ {
# allow 192.168.1.0/24;
# deny all;
# }
File Upload Restrictions
allImplement web application firewall rules to block suspicious file uploads
# ModSecurity rule example:
# SecRule FILES "@rx \.(php|jsp|asp|aspx|pl|py|sh)$" \
# "id:1001,phase:2,deny,msg:'Blocked malicious file upload'"
# Cloudflare WAF: Create rule to block file uploads with executable extensions
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the Public CMS server from critical systems
- Deploy runtime application self-protection (RASP) or web application firewall with specific rules blocking file uploads to the vulnerable endpoint
🔍 How to Verify
Check if Vulnerable:
Check if your Public CMS version is v.4.0.202302.e by examining the version file or admin panel. Test if the /admin/cmsTemplate/savePlaceMetaData endpoint accepts file uploads without proper validation.Check Version:
grep -r "version" /path/to/publiccms/installation/ | grep -i "4.0.202302"Verify Fix Applied:
After patching, attempt to upload a test file with executable extension to the vulnerable endpoint. It should be rejected or sanitized. Verify the version shows v.4.0.202302.f or later.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to /admin/cmsTemplate/savePlaceMetaData
- Files with executable extensions (.php, .jsp, .asp, etc.) being written to web directories
- Multiple failed authentication attempts followed by successful admin login and file upload
Network Indicators:
- POST requests to /admin/cmsTemplate/savePlaceMetaData with file upload content
- Outbound connections from the web server to suspicious IPs shortly after file uploads
SIEM Query:
source="web_logs" AND (uri="/admin/cmsTemplate/savePlaceMetaData" AND method="POST") AND (content_type="multipart/form-data" OR user_agent CONTAINS "curl" OR user_agent CONTAINS "wget")