CVE-2018-17826 in HisiPHP
Summary
by MITRE
HisiPHP 1.0.8 allows CSRF via admin.php/admin/user/adduser.html to add an administrator account. The attacker can then use that account to execute arbitrary PHP code by leveraging app/common/model/AdminAnnex.php to add .php to the default list of allowable file-upload types (.jpg, .png, .gif, .jpeg, and .ico).
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/28/2020
This vulnerability exists in HisiPHP version 1.0.8 and represents a critical cross-site request forgery flaw that enables unauthorized account creation within the administrative interface. The vulnerability specifically targets the admin.php/admin/user/adduser.html endpoint, which lacks proper anti-CSRF protections, allowing attackers to craft malicious requests that automatically create new administrator accounts without user consent or authentication. The flaw stems from insufficient validation of request origins and lack of anti-CSRF tokens in the user creation form, making it susceptible to exploitation through social engineering or compromised user sessions.
The technical exploitation of this vulnerability begins with the CSRF attack vector that permits unauthorized account creation, followed by a secondary exploitation path that leverages the application's file upload functionality. The app/common/model/AdminAnnex.php component contains a configuration that allows PHP files to be uploaded by default, extending the initial account creation privilege into full system compromise. This file upload capability is particularly dangerous because it allows attackers to execute arbitrary PHP code on the server, effectively providing them with complete control over the application and underlying infrastructure. The vulnerability specifically mentions that the default file upload extensions include .jpg, .png, .gif, .jpeg, and .ico, but the attacker can modify this list to include .php extensions, creating a persistent backdoor.
The operational impact of this vulnerability is severe and encompasses complete system compromise, data theft, and potential lateral movement within network environments. An attacker who successfully exploits this vulnerability gains administrative privileges and can execute arbitrary code on the server, potentially leading to data breaches, service disruption, or use as a foothold for further attacks. The combination of CSRF and file upload vulnerabilities creates a dangerous attack chain that can be exploited without requiring authentication or advanced technical knowledge, making it particularly attractive to threat actors. This vulnerability directly aligns with CWE-352, which defines Cross-Site Request Forgery, and CWE-434, which addresses insecure file upload handling. The attack pattern also corresponds to ATT&CK technique T1059.007 for command and scripting interpreter and T1078.004 for valid accounts, as the attacker leverages legitimate administrative accounts to execute malicious code.
Mitigation strategies should focus on implementing robust anti-CSRF protection mechanisms across all administrative endpoints, including the requirement of anti-CSRF tokens for all state-changing operations. The application should enforce strict file upload validation that prevents execution of PHP files even when they are uploaded to the system, implementing both filename extension checks and content-type verification. Organizations should also implement proper access controls and monitoring of administrative account creation events to detect unauthorized privilege escalation attempts. Additionally, the application code should be updated to remove or disable the ability to modify file upload extensions through configuration changes, ensuring that only safe file types are accepted for upload operations. Regular security audits and input validation testing should be conducted to prevent similar vulnerabilities from emerging in future versions of the application.