CVE-2018-25409

Vulnerability

SIM-PKH version 2.4.1 contains an arbitrary file upload vulnerability in the file aksi_pengurus.php. Authenticated users can upload malicious files by sending a POST request with module=pengurus and act=update parameters, along with a PHP file via the fupload parameter. The uploaded file is stored in the foto directory and can be executed as a web script. The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) [1][3].

Exploitation

An attacker must have valid authentication credentials for the SIM-PKH application. The attacker sends a crafted POST request to aksi_pengurus.php with module=pengurus&act=update and sets the fupload parameter to a PHP file containing malicious code. The file is then saved to the foto directory without proper validation of its content type. The attacker can then access the uploaded file via the web server to execute the PHP code [3].

Impact

Successful exploitation allows an attacker to execute arbitrary PHP code on the server with the privileges of the web server user. This can lead to full compromise of the application and underlying server, including data theft, modification, or further lateral movement [3].

Mitigation

No official fix has been released as of the publication date. The project is licensed under GPLv2 and may be forked or patched by the community. As a workaround, restrict access to aksi_pengurus.php and the foto directory via web server configuration (e.g., .htaccess), or disable file upload functionality if not required [1].