CVE-2019-9581

Vulnerability

Booked Scheduler version 2.7.5 contains an arbitrary file upload vulnerability in the Favicon field of the "Look and Feel" section in the administration panel. The file extension validation is missing for the Favicon upload, unlike other upload fields. This allows an authenticated administrator to upload a PHP file with any extension, which is then stored as custom-favicon.php in the web root directory. The vulnerable code is in Presenters/Admin/ManageThemePresenter.php, which does not ensure an image file extension [1][2].

Exploitation

An attacker must have valid administrator credentials to access the "Look and Feel" management panel. After logging in, the attacker goes to the Favicon upload field and selects a PHP payload file (e.g., a web shell) with any extension. The application accepts the file and writes it to custom-favicon.php in the web root. Offensive security tools such as Metasploit have a module that automates this attack, requiring the target URI, username, and password [1][2][3].

Impact

Successful exploitation allows the attacker to execute arbitrary PHP code on the server under the web server's privileges, typically leading to full remote command execution. The attacker can read, write, and execute files, potentially compromising the entire web application and underlying server [2]. No additional privileges are gained beyond the initial web server context.

Mitigation

A patched version has not been identified; the vulnerability exists in Booked Scheduler 2.7.5 and possibly earlier versions. The vendor should be contacted for an update. As a workaround, restrict access to the admin panel and remove write permissions on the web root if possible. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1][2][3].