CVE-2024-42523
📋 TL;DR
PublicCMS versions up to V4.0.202302.e contain an unrestricted file upload vulnerability in the template metadata management endpoint. This allows authenticated attackers to upload arbitrary files, potentially leading to remote code execution. Only administrators with access to the affected endpoint are affected.
💻 Affected Systems
- PublicCMS
📦 What is this software?
Publiccms by Publiccms
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through web shell upload leading to remote code execution, data theft, and lateral movement.
Likely Case
Web shell deployment allowing persistent backdoor access and potential data exfiltration.
If Mitigated
Limited impact if proper file type validation and access controls are implemented.
🎯 Exploit Status
Exploit requires admin credentials but is straightforward once authenticated. Public proof-of-concept demonstrates file upload capability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after V4.0.202302.e
Vendor Advisory: https://gitee.com/sanluan/PublicCMS/issues/IADVDM
Restart Required: No
Instructions:
1. Upgrade to the latest PublicCMS version. 2. Verify the /admin/cmsTemplate/saveMetaData endpoint now validates file types. 3. Test file upload functionality with malicious file types.
🔧 Temporary Workarounds
Restrict Admin Access
allLimit access to the admin interface to trusted IP addresses only
# Configure web server (nginx example)
location /admin/ {
allow 192.168.1.0/24;
deny all;
}
File Upload Validation
allImplement server-side file type validation for uploads
# Add to web application configuration
# Restrict uploads to specific file extensions only
🧯 If You Can't Patch
- Implement strict file upload validation on the web server level
- Monitor and alert on suspicious file uploads to the /admin/cmsTemplate/ directory
🔍 How to Verify
Check if Vulnerable:
Attempt to upload a file with a malicious extension (e.g., .jsp, .php) to /admin/cmsTemplate/saveMetaData endpoint as authenticated admin.Check Version:
Check PublicCMS version in admin dashboard or configuration filesVerify Fix Applied:
Test file upload with restricted extensions and verify server rejects unauthorized file types.📡 Detection & Monitoring
Log Indicators:
- File uploads to /admin/cmsTemplate/saveMetaData with unusual file extensions
- Multiple failed upload attempts with executable extensions
Network Indicators:
- POST requests to /admin/cmsTemplate/saveMetaData with file upload content
- Unusual outbound connections from web server after file upload
SIEM Query:
source="web_server" AND (uri="/admin/cmsTemplate/saveMetaData" AND method="POST") AND (file_extension="php" OR file_extension="jsp" OR file_extension="asp")