CVE-2024-7917 – This vulnerability in DouPHP 1.7 allows attacke... (How to Fix)

Q: What is the severity of CVE-2024-7917?

CVE-2024-7917 has a CVSS score of 4.7 (MEDIUM). This vulnerability in DouPHP 1.7 allows attackers to upload arbitrary files via the favicon handler in the admin system.php file. Attackers can exploit this remotely to potentially execute malicious code on affected systems. Organizations using DouPHP 1.7 Release 20220822 are affected.

📋 TL;DR

This vulnerability in DouPHP 1.7 allows attackers to upload arbitrary files via the favicon handler in the admin system.php file. Attackers can exploit this remotely to potentially execute malicious code on affected systems. Organizations using DouPHP 1.7 Release 20220822 are affected.

💻 Affected Systems

Products:

DouPHP

Versions: 1.7 Release 20220822

Operating Systems: All platforms running DouPHP

Default Config Vulnerable: ⚠️ Yes

Notes: Requires admin access to /admin/system.php endpoint

📦 What is this software?

Douphp by Douco

View all CVEs affecting Douphp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment

🟠

Likely Case

Webshell upload allowing persistent backdoor access and further system exploitation

🟢

If Mitigated

File upload blocked or restricted to safe file types only

🌐 Internet-Facing: HIGH - Attack can be launched remotely without authentication

🏢 Internal Only: MEDIUM - Still exploitable from internal networks but requires network access

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit details are publicly available and the vulnerability is straightforward to exploit

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available or implementing workarounds.

🔧 Temporary Workarounds

Restrict file uploads in admin/system.php

all

Modify the favicon handler to restrict file uploads to specific safe file types

Edit /admin/system.php to add file type validation for site_favicon uploads

Implement file upload restrictions via web server

linux

Configure web server to block or restrict uploads to the vulnerable endpoint

Add location block in nginx: location ~ ^/admin/system\.php$ { deny all; }
Add Directory block in Apache: <Directory /admin> <Files system.php> Order Deny,Allow Deny from all </Files> </Directory>

🧯 If You Can't Patch

Implement strict file upload validation and sanitization
Restrict admin panel access to trusted IP addresses only

🔍 How to Verify

Check if Vulnerable:

Check if running DouPHP 1.7 Release 20220822 and examine /admin/system.php for unrestricted file upload in favicon handler

Check Version:

Check DouPHP version in configuration files or admin panel

Verify Fix Applied:

Test file upload functionality with malicious files to ensure they are blocked

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads to /admin/system.php
Multiple failed upload attempts
Uploads of non-image files to favicon endpoint

Network Indicators:

POST requests to /admin/system.php with file uploads
Unusual outbound connections from web server

SIEM Query:

source="web_logs" AND uri="/admin/system.php" AND method="POST" AND (file_upload="true" OR content_type="multipart/form-data")

📊 Metadata

CVE ID: CVE-2024-7917

CVSS v3 Score: 4.7 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-434

Published: August 18, 2024

Last Updated: August 21, 2024

🔗 References

https://vuldb.com/?ctiid.275042 Permissions Required,VDB Entry
https://vuldb.com/?id.275042 Permissions Required,VDB Entry
https://vuldb.com/?submit.389296 Third Party Advisory,VDB Entry
https://wiki.shikangsi.com/post/share/5de742ae-e5e6-48ed-876b-dca7e74813cb Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-7917, you might also want to check these: