CVE-2024-40645
📋 TL;DR
This vulnerability allows authenticated users in FOG Project to upload malicious files disguised as images, leading to remote code execution on the server. Attackers can append PHP webshells to image files and bypass file extension checks. All FOG Project installations below version 1.5.10.41 with authenticated user access are affected.
💻 Affected Systems
- FOG Project
📦 What is this software?
Fogproject by Fogproject
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise allowing attackers to execute arbitrary commands, steal sensitive data, deploy ransomware, or pivot to other network systems.
Likely Case
Attackers upload PHP webshells to gain persistent access, execute commands, and potentially compromise the entire FOG management infrastructure.
If Mitigated
With proper file upload validation and web server restrictions, impact is limited to potential file storage abuse without code execution.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple - involves uploading a malicious file with PHP code appended to an image.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.5.10.41
Vendor Advisory: https://github.com/FOGProject/fogproject/security/advisories/GHSA-59mq-q8g5-2f4f
Restart Required: Yes
Instructions:
1. Backup your FOG configuration and database. 2. Update FOG Project to version 1.5.10.41 or later. 3. Restart the web server (Apache/Nginx). 4. Verify the patch is applied by checking the version.
🔧 Temporary Workarounds
Restrict file upload extensions
linuxConfigure web server to block execution of uploaded files in the rebranding directory
# For Apache: Add to .htaccess in upload directory
<FilesMatch "\.(php|php3|php4|php5|phtml|pl|cgi)">
Order Deny,Allow
Deny from all
</FilesMatch>
# For Nginx: Add to server config
location ~* \.(php|php3|php4|php5|phtml|pl|cgi)$ {
deny all;
}
Disable rebranding feature
linuxTemporarily disable the vulnerable rebranding feature until patching
# Remove or restrict access to rebranding functionality
# Modify FOG configuration to disable client banner uploads
🧯 If You Can't Patch
- Restrict user permissions to limit who can access the rebranding feature
- Implement web application firewall (WAF) rules to block suspicious file upload patterns
🔍 How to Verify
Check if Vulnerable:
Check if FOG version is below 1.5.10.41 and if authenticated users can upload files via the rebranding feature without proper extension validation.Check Version:
cat /var/www/html/fog/lib/fog/System.class.php | grep "define.*FOG_VERSION"Verify Fix Applied:
After updating to 1.5.10.41, attempt to upload a file with PHP extension via rebranding feature - it should be rejected.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to rebranding directory
- PHP file execution from upload directories
- Multiple failed upload attempts with suspicious extensions
Network Indicators:
- HTTP POST requests to rebranding endpoints with file uploads
- Unexpected outbound connections from FOG server
SIEM Query:
source="fog_access.log" AND (uri_path="/fog/management/index.php?node=client&sub=edit" OR uri_path LIKE "%/rebranding%") AND (method="POST" AND size>100000)🔗 References
- https://github.com/FOGProject/fogproject/blob/a4bb1bf39ac53c3cbe623576915fbc3b5c80a00f/packages/web/lib/pages/fogconfigurationpage.class.php#L2860-L2896
- https://github.com/FOGProject/fogproject/commit/9469606a18bf8887740cceed6593a2e0380b5e0c
- https://github.com/FOGProject/fogproject/security/advisories/GHSA-59mq-q8g5-2f4f
