CVE-2018-14570 in B2B2C Multi-Business Basic
Summary
by MITRE
A file upload vulnerability in application/shop/controller/member.php in Niushop B2B2C Multi-business basic version V1.11 allows any remote member to upload a .php file to the web server via a profile avatar field, by using an image Content-Type (e.g., image/jpeg) with a modified filename and file content. This results in arbitrary code execution by requesting that .php file.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/09/2020
This vulnerability exists in the Niushop B2B2C Multi-business basic version V1.11 web application where the file upload functionality in the member profile avatar field lacks proper validation mechanisms. The flaw allows authenticated users to bypass security restrictions by manipulating the Content-Type header while uploading files with php extensions. The vulnerability stems from inadequate input sanitization and file type verification processes that fail to properly validate both the file extension and actual file content, creating a path for malicious code execution.
The technical implementation of this vulnerability follows a classic file upload attack pattern where the application accepts user-supplied files without sufficient validation. When a user uploads a profile avatar, the system checks the Content-Type header but does not perform comprehensive file analysis to verify that the uploaded file matches its declared type. Attackers can exploit this by uploading a file with a legitimate image Content-Type such as image/jpeg while simultaneously using a php extension in the filename. The application processes this file as an image but stores it with the php extension, allowing subsequent execution of the malicious php code through direct web server requests.
This vulnerability has significant operational impact as it enables arbitrary code execution on the web server, potentially allowing attackers to gain full control over the affected system. The attack vector requires only authenticated access, making it particularly dangerous as it can be exploited by legitimate users with member accounts. The vulnerability directly maps to CWE-434 which addresses insecure file upload vulnerabilities, and aligns with ATT&CK technique T1190 for Exploit Public-Facing Application. Successful exploitation could lead to data breaches, system compromise, and unauthorized access to sensitive business information within the B2B2C platform.
The recommended mitigation strategies include implementing strict file type validation that checks both file extensions and actual file content using magic number detection, enforcing proper file upload restrictions such as storing uploaded files outside the web root directory, and implementing additional security measures like file content analysis and access control restrictions. Organizations should also consider implementing web application firewalls to detect and block suspicious file upload attempts, while conducting regular security audits to identify similar vulnerabilities in other application components. The fix should involve comprehensive input validation that rejects any file with potentially dangerous extensions regardless of Content-Type header values, and proper file handling mechanisms that prevent execution of uploaded files in web-accessible directories.