CVE-2024-57450
📋 TL;DR
ChestnutCMS versions up to 1.5.0 contain a file upload vulnerability in the Create template function that allows attackers to upload malicious files. This can lead to remote code execution, compromising the entire CMS installation. All users running vulnerable versions are affected.
💻 Affected Systems
- ChestnutCMS
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise leading to data theft, ransomware deployment, or use as a foothold for lateral movement within the network.
Likely Case
Webshell upload enabling persistent backdoor access, defacement, or data exfiltration from the CMS database.
If Mitigated
File upload attempts blocked or quarantined with no successful exploitation.
🎯 Exploit Status
Exploitation requires no authentication and minimal technical skill based on the vulnerability description.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None found
Restart Required: No
Instructions:
No official patch available. Consider upgrading to version >1.5.0 if available, or implement workarounds.
🔧 Temporary Workarounds
Disable template creation
allTemporarily disable the Create template function in ChestnutCMS admin interface.
Web server file upload restrictions
linuxConfigure web server (Apache/Nginx) to block file uploads to the template directory.
# Apache: Add to .htaccess
<FilesMatch "\.(php|phtml|php3|php4|php5|php7|phps|php8|inc|pl|py|jsp|asp|aspx|sh|cgi|exe)$">
Order Allow,Deny
Deny from all
</FilesMatch>
# Nginx: Add to server block
location ~* \.(php|phtml|php3|php4|php5|php7|phps|php8|inc|pl|py|jsp|asp|aspx|sh|cgi|exe)$ {
deny all;
}
🧯 If You Can't Patch
- Implement strict file upload validation in application code to only allow safe file types.
- Move CMS to isolated network segment with strict outbound firewall rules.
🔍 How to Verify
Check if Vulnerable:
Check ChestnutCMS version in admin panel or configuration files. If version <=1.5.0, assume vulnerable.Check Version:
Check /admin/dashboard or configuration files for version information.Verify Fix Applied:
Test file upload functionality with malicious file extensions. Successful upload indicates vulnerability.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to template directories
- POST requests to template creation endpoints with suspicious file extensions
- Web server errors related to file upload restrictions
Network Indicators:
- HTTP POST requests to /admin/template/create or similar endpoints with file uploads
- Outbound connections from CMS server to unknown IPs
SIEM Query:
source="web_server" AND (uri_path="/admin/template/create" OR uri_path="/admin/template/upload") AND http_method="POST" AND file_extension IN ("php", "phtml", "jsp", "asp", "aspx", "sh")