CVE-2022-48006

Vulnerability

An arbitrary file upload vulnerability exists in taocms v3.0.2, specifically in /include/Model/Upload.php at line 33. The filename extension is controlled by the upext variable, which can be modified to allow PHP file uploads. The vulnerability is reachable through the backend interface, requiring authentication to access the configuration. [1]

Exploitation

An attacker with backend access can first modify the upext variable to include the php extension via the save method in /include/Model/File.php (line 73). After saving, they can upload a crafted PHP file through the file upload functionality. The uploaded file can then be accessed via a direct URL (e.g., http://www.taocms.com:9090/a.php), leading to code execution. [1]

Impact

Successful exploitation allows an attacker to execute arbitrary PHP code on the server, resulting in full system compromise (e.g., obtaining a shell). This impacts confidentiality, integrity, and availability of the application and underlying server. [1]

Mitigation

No official patch has been released for this vulnerability as of the publication date. Users should restrict backend access to trusted administrators, implement server-side file extension validation, and consider upgrading to a patched version if one becomes available. The issue is tracked on GitHub. [1]