CVE-2020-10557

Vulnerability

The file upload functionality in upload.php of AContent through version 1.4 does not properly restrict dangerous file extensions. In the default configuration, .php7 and .phtml are not included in the "Illegal File Extensions" list in the admin panel. This allows an authenticated user to upload arbitrary PHP code, bypassing the intended restrictions [1].

Exploitation

An attacker can register a low-privileged account (open registration is enabled by default), create a course, and then navigate to the file manager page. From there, they can upload a file with a .php7 extension containing malicious PHP code. No additional privileges or user interaction beyond the initial registration are required [1].

Impact

Successful exploitation allows the attacker to execute arbitrary PHP commands on the web server with the privileges of the web server process. This can lead to full compromise of the AContent application, data exfiltration, and potentially lateral movement within the hosting environment [1].

Mitigation

As of the publication date (2020-03-16), no official patch has been released by the vendor. Administrators should manually add .php7 and .phtml to the "Illegal File Extensions" list in the admin panel. Additionally, disabling open registration or restricting file upload permissions can reduce risk. The product may be end-of-life; migrating to a supported alternative is recommended [1].