CVE-2017-7402 in Pixie
Summary
by MITRE
Pixie 1.0.4 allows remote authenticated users to upload and execute arbitrary PHP code via the POST data in an admin/index.php?s=publish&x=filemanager request for a filename with a double extension, such as a .jpg.php file with Content-Type of image/jpeg.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 10/30/2025
The vulnerability described in CVE-2017-7402 represents a critical file upload security flaw in Pixie version 1.0.4 that enables authenticated attackers to execute arbitrary PHP code remotely. This issue stems from inadequate input validation and file extension handling within the application's file management functionality, specifically affecting the admin/index.php?s=publish&x=filemanager endpoint. The vulnerability exploits a common pattern where applications fail to properly validate file extensions or content types, creating opportunities for malicious file uploads that can bypass security controls.
The technical exploitation mechanism relies on the manipulation of file extensions through double extensions, where a file named .jpg.php is crafted to appear as a legitimate image file while actually containing executable PHP code. This technique leverages the fact that many web applications perform extension validation but fail to account for multiple dots in filenames or do not properly validate the actual file content. The Content-Type header of image/jpeg is used to further deceive the system into accepting what appears to be a safe image file. This vulnerability falls under CWE-434, which specifically addresses insecure file upload handling, and represents a classic example of how insufficient validation can lead to remote code execution.
The operational impact of this vulnerability is severe as it provides authenticated attackers with the ability to execute arbitrary code on the affected server with the privileges of the web application. This could enable attackers to gain full control over the web server, access sensitive data, establish persistence mechanisms, or use the compromised system as a launch point for further attacks within the network. The vulnerability affects the confidentiality, integrity, and availability of the system, as attackers can modify content, delete files, or even install backdoors. According to ATT&CK framework, this maps to T1059.007 for command and scripting interpreter and T1078 for valid accounts, as the attack requires authenticated access but then escalates to full system compromise.
Mitigation strategies should focus on implementing robust file validation controls that check both file extensions and actual file content rather than relying solely on extension-based filtering. The system should enforce strict file type validation by examining the file's magic bytes or MIME type signature rather than trusting the Content-Type header alone. Additionally, uploaded files should be stored in a separate directory from the web root, and all uploaded files should be renamed to prevent extension manipulation attacks. Implementing proper access controls and monitoring for unusual file upload patterns can help detect potential exploitation attempts. Organizations should also consider implementing web application firewalls and regularly updating their applications to address known vulnerabilities. The fix should include proper input sanitization, content type verification, and enforcement of strict file naming conventions to prevent the exploitation of double extension vulnerabilities.