CVE-2019-17188

Vulnerability

The vulnerability is an unrestricted file upload in Fecshop FecMall version 2.3.4. Specifically, in the catalog/productinfo/imageupload functionality, the server relies on the getimagesize PHP function to validate uploaded files. This function only checks if the file is a valid image, not the file extension. An attacker can upload a file with a .php extension containing malicious PHP code while providing image/jpeg content type and valid image data to pass the getimagesize check [1].

Exploitation

Exploitation requires admin panel access to the image upload functionality. The attacker logs in, selects an image to upload, intercepts the upload request, changes the file extension to .php, and optionally adds a webshell payload while keeping valid image data at the beginning to satisfy getimagesize. The server then saves the file with the .php extension in the image save folder, making it executable [1].

Impact

Successful exploitation allows an authenticated admin user to upload arbitrary PHP code to the web server. This can lead to remote code execution (RCE) with the privileges of the web server user, enabling full compromise of the application and server data, including theft, modification, or deletion of sensitive information.

Mitigation

The vulnerability was reported in September 2019. As of the publication date (2019-10-04), no official patch has been released. The fix should involve validating file extensions and not relying solely on getimagesize to determine file type. Administrators should restrict file upload permissions and monitor for suspicious file uploads. The issue is tracked on GitHub [1]. If no fix is available, consider implementing a Web Application Firewall (WAF) rule to block .php files in upload directories.