CVE-2025-56263
📋 TL;DR
CVE-2025-56263 is an arbitrary file upload vulnerability in by-night sms V1.0 that allows attackers to upload any file type and size via the /api/sms/upload/headImg endpoint. This affects all users running the vulnerable version of by-night sms software.
💻 Affected Systems
- by-night sms
📦 What is this software?
Sms by By Night
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through remote code execution by uploading malicious scripts, leading to data theft, ransomware deployment, or creation of persistent backdoors.
Likely Case
Attackers upload web shells to gain unauthorized access, deface websites, or use the server for malicious activities like hosting phishing pages or malware distribution.
If Mitigated
Limited impact with proper file validation, restricted upload directories, and execution prevention controls in place.
🎯 Exploit Status
The vulnerability is trivial to exploit using standard HTTP POST requests. Public GitHub references demonstrate exploitation techniques.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: Not available
Restart Required: No
Instructions:
No official patch available. Check GitHub repository for updates or consider alternative software.
🔧 Temporary Workarounds
Web Server File Upload Restriction
allConfigure web server to block access to the vulnerable endpoint or restrict file uploads
# For Apache: Add to .htaccess or virtual host config
<Location "/api/sms/upload/headImg">
Deny from all
</Location>
# For Nginx: Add to server block
location /api/sms/upload/headImg {
deny all;
}
File Upload Validation
allImplement server-side file type validation and size restrictions
# Example PHP validation snippet
$allowed_types = ['image/jpeg', 'image/png', 'image/gif'];
$max_size = 5242880; // 5MB
if (!in_array($_FILES['file']['type'], $allowed_types) || $_FILES['file']['size'] > $max_size) {
die('Invalid file');
}
🧯 If You Can't Patch
- Disable the /api/sms/upload/headImg endpoint completely using web server configuration or application firewall rules
- Implement network segmentation to isolate the vulnerable system and restrict access to trusted IP addresses only
🔍 How to Verify
Check if Vulnerable:
Attempt to upload a non-image file (like test.php) to /api/sms/upload/headImg endpoint. If successful, system is vulnerable.Check Version:
Check application configuration files or documentation for version information. No standard command available.Verify Fix Applied:
Attempt the same upload test after applying workarounds. Upload should be rejected with proper error messages.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /api/sms/upload/headImg with non-image file extensions
- Large file uploads to the vulnerable endpoint
- Successful uploads of executable files (.php, .exe, .sh)
Network Indicators:
- Unusual outbound connections from the server after file uploads
- Traffic patterns indicating web shell communication
SIEM Query:
source="web_server_logs" AND (uri="/api/sms/upload/headImg" AND (method="POST" AND (file_extension="php" OR file_extension="exe" OR file_extension="sh")))