CVE-2022-40777

Vulnerability

Interspire Email Marketer versions 6.0.0 through 6.5.0 with the Surveys addon enabled are vulnerable to arbitrary file upload. The surveys_submit.php script, used in the "create survey and submit survey" operation, does not properly validate uploaded files, allowing a .php file to be placed under the /admin/temp/surveys/ directory. This issue is an incomplete fix for CVE-2018-19550 [1].

Exploitation

An attacker must have network access to the application and the Surveys addon must be enabled. No authentication is required to reach the vulnerable endpoint. The attacker can craft a malicious .php file and submit it via the survey submission functionality. The file is then stored in the /admin/temp/surveys/ directory and can be accessed directly via a web request, leading to code execution [1].

Impact

Successful exploitation allows an unauthenticated attacker to upload and execute arbitrary PHP code on the server. This can lead to full compromise of the web application and underlying server, including data theft, defacement, or further lateral movement [1].

Mitigation

Interspire has released version 6.5.1 which fixes the vulnerability. Users are advised to update to the latest version. If updating is not immediately possible, users who do not use the survey functionality should disable the Surveys addon and delete the surveys_submit.php file. Users who rely on surveys can download an updated version of surveys_submit.php from the vendor's security bulletin [1].