CVE-2020-35709 in BloofoxCMS
Summary
by MITRE • 12/26/2020
bloofoxCMS 0.5.2.1 allows admins to upload arbitrary .php files (with "Content-Type: application/octet-stream") to ../media/images/ via the admin/index.php?mode=tools&page=upload URI, aka directory traversal.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 06/02/2026
This vulnerability exists in bloofoxCMS version 0.5.2.1 where administrative users can upload arbitrary php files to the media/images directory through a specific upload endpoint. The flaw stems from inadequate input validation and file type checking mechanisms within the file upload functionality. Attackers can bypass normal file extension restrictions by setting the Content-Type header to application/octet-stream which is often treated as a generic binary file type. This allows malicious php scripts to be uploaded and subsequently executed on the web server, creating a severe security risk for the entire cms installation.
The technical implementation of this vulnerability involves a directory traversal attack pattern where the upload functionality does not properly validate file extensions or content types before storing files in the web root directory. The specific URI path admin/index.php?mode=tools&page=upload provides direct access to the file upload interface without sufficient authorization checks or file validation. When the server receives a file with Content-Type: application/octet-stream, it typically does not perform the same security checks that would occur with a php file extension, allowing the malicious payload to be stored in the ../media/images/ directory where it becomes accessible via web requests.
The operational impact of this vulnerability is significant as it provides attackers with persistent code execution capabilities on the affected server. Once a malicious php file is uploaded, it can be executed directly through web requests, potentially allowing attackers to gain full control over the server, steal sensitive data, or use the compromised system as a launch point for further attacks within the network. This vulnerability directly maps to CWE-434 which describes insecure file upload vulnerabilities where applications accept files without proper validation, and it aligns with ATT&CK technique T1190 for exploiting vulnerabilities in web applications.
Organizations should immediately implement multiple layers of defense to mitigate this vulnerability. The primary mitigation involves implementing strict file type validation that checks both file extensions and actual file content rather than relying solely on Content-Type headers. File upload functionality should validate against a whitelist of allowed file types and reject any files that do not match expected patterns. Additionally, uploaded files should be stored outside the web root directory, and proper file permissions should be enforced to prevent execution of uploaded files. The system should also implement content-type validation that verifies the actual file content matches the reported type and ensure that all administrative interfaces require proper authentication and authorization checks before allowing file upload operations. Regular security audits and penetration testing should be conducted to identify similar vulnerabilities in other parts of the application stack.