CVE-2020-10386
Description
admin/imagepaster/image-upload.php in Chadha PHPKB Standard Multi-Language 9 allows remote attackers to achieve Code Execution by uploading a .php file in the admin/js/ directory.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
PHPKB Multi-Language 9 allows authenticated remote code execution via arbitrary file upload in admin/imagepaster/image-upload.php.
Vulnerability
The vulnerability resides in admin/imagepaster/image-upload.php in Chadha PHPKB Standard Multi-Language version 9. The script does not validate the file extension or content type, allowing an authenticated attacker to upload a file containing PHP code to the admin/js/ directory. The upload is performed via a POST request with parameters action=imageinsert_upload, imgMime=image/php, and imgName set to a path like ../js/index.png or ../js/shell.php. The file is saved with the given name, and the server executes it as PHP due to misconfiguration or lack of extension filtering [1][2].
Exploitation
An attacker must have valid credentials with at least Writer or Editor role (Superuser, Writer, Translator, or Editor). After logging in, the attacker sends a crafted POST request to admin/imagepaster/image-upload.php with a file containing PHP code (e.g., <?php system($_GET['cmd']); ?>). The imgName parameter can be set to ../js/shell.php to upload a .php file, or to ../js/index.png if the server executes .png files as PHP. The response returns the URL of the uploaded file, which can then be accessed with a command parameter to execute arbitrary system commands [1][2].
Impact
Successful exploitation results in remote code execution as the web server user. An attacker can execute arbitrary commands, read sensitive files, modify data, or pivot to other systems. This leads to full compromise of the PHPKB application and potentially the underlying server [1][2].
Mitigation
No official patch has been released by the vendor as of the publication date (2020-03-12). As a workaround, restrict access to the admin panel to trusted users only, implement strict file upload validation (e.g., whitelist allowed extensions and MIME types), and disable PHP execution in the admin/js/ directory via server configuration (e.g., .htaccess with php_flag engine off). Users should monitor for updates from the vendor [1][2].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Chadha PHPKB/Chadha PHPKB Standard Multi-Languagedescription
- Range: =9
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing validation of the `imgName` parameter allows directory traversal, and the uploaded file content is not sanitized, enabling PHP code execution."
Attack vector
An attacker must first authenticate as a Superuser, Writer, Translator, or Editor via `/admin/login.php` [ref_id=1]. The attacker then sends a POST request to `admin/imagepaster/image-upload.php` with a file containing arbitrary PHP code, sets `action=imageinsert_upload`, `imgMime=image/php`, and `imgParent=null`, and provides an `imgName` value such as `../js/index.png` to traverse into the `admin/js/` directory [ref_id=1]. The server stores the uploaded PHP payload under a `.png` extension, but because the file content is PHP code, accessing the returned URL with a `cmd` parameter achieves remote code execution [ref_id=1].
Affected code
The vulnerable endpoint is `admin/imagepaster/image-upload.php` in Chadha PHPKB Standard Multi-Language 9. The upload handler accepts a file parameter and writes it to a path constructed from the `imgName` POST parameter, which allows directory traversal via `../js/index.png` [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory [ref_id=1] does not describe a vendor fix. To remediate, the application should validate the `imgName` parameter to reject directory traversal sequences (e.g., `../`), enforce a strict whitelist of allowed file extensions (e.g., only image MIME types like `image/png`, `image/jpeg`), and store uploaded files outside the web root or in a non-executable directory.
Preconditions
- authAttacker must have valid credentials for a Superuser, Writer, Translator, or Editor account
- networkAttacker must have network access to the PHPKB application
- configThe application must be PHPKB Standard Multi-Language version 9
- inputThe upload endpoint must be reachable at admin/imagepaster/image-upload.php
Reproduction
1. Authenticate as a Superuser, Writer, Translator, or Editor by POSTing `phpkb_username`, `phpkb_password`, and `login=LOGIN` to `/admin/login.php`. 2. Send a POST request to `/admin/imagepaster/image-upload.php` with the following parameters: `file` set to `"<?php echo shell_exec($_GET['cmd'].' 2>&1'); ?>"`, `action=imageinsert_upload`, `imgMime=image/php`, `imgName=../js/index.png`, and `imgParent=null`. 3. Parse the JSON response to extract the `url` value. 4. Visit that URL with `?cmd=<command>` appended to execute arbitrary system commands [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- antoniocannito.itmitrex_refsource_MISC
- packetstormsecurity.com/files/156757/PHPKB-Multi-Language-9-image-upload.php-Code-Execution.htmlmitrex_refsource_MISC
- antoniocannito.it/phpkb1mitrex_refsource_MISC
- www.exploit-db.com/exploits/48221mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.