CVE-2023-31505 tl;dr

A CMS, called “Schlix”, built with PHP suffers from an authenticated RCE vulnerability that has not been patched yet. The arbitrary file upload allows malicious administrators to upload and subsequently execute PHP code.

The vulnerable piece of code is located in the system/apps/core/mediamanager/core.mediamanager.admin.class.php file. In the process of uploading files, the isFileSafe method is called which is supposed to check if the uploaded file is safe to upload. In essence, the method checks the uploaded file’s file extension from the filename and if it’s either js or php, the upload is rejected:

535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552

/**
 * @param string $tmp_filename
 * @param string $filename
 * @return boolean
 */
private function isFileSafe($tmp_filename, $filename)
{
    $pi = mb_pathinfo($filename);
    $ext = strtolower($pi['extension']);
    if ($ext == 'js' || $ext == 'php')
        return false;
    else 
    {        
        $fstr = file_get_contents($tmp_filename);
        $valid = !str_contains($fstr,'<?php') && !str_contains($fstr, '<?=');
        return $valid;
    }
}

The first check (line 544) is trivially bypassed by uploading files with alternative file extensions for PHP, for which there are a hand full of options available.

The next check (line 549) determines if the uploaded file contains <?php or <?= code tags, which would indicate that the file potentially contains PHP code. This check also falls short because PHP does not care about the capitalization of the opening and closing PHP tags.

So, to summarize, uploading a payload.phtml file with <?PHp passthru($_GET['cmd']); ?> would grant you code execution on the underlying server (when authenticated as admin).

References

• https://m3n0sd0n4ld.github.io/patoHackventuras/cve-2023-31505
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-31505
• https://securityonline.info/cve-2023-31505-schlix-cms-flaw-exposes-websites-to-rce-no-patch-available/