CVE-2023-26877

Vulnerability

Description

CVE-2023-26877 is a file upload vulnerability discovered in Softexpert Excellence Suite version 2.1. The application fails to validate file content type or extension when handling file uploads at the form/efms_exec_html/file_upload_parser.php endpoint. An attacker can upload a malicious .php file that is then stored and executed by the server. This flaw stems from insufficient server-side validation of uploaded files, a classic arbitrary upload bug [1].

Exploitation

Exploitation requires no authentication; the vulnerable endpoint is accessible without login credentials. A crafted HTTP POST request with a multipart form-data payload containing a .php file is sent to the endpoint. The example reference demonstrates uploading a PHP shell that exfiltrates system information via an out-of-band DNS lookup. After upload, the file is accessible at a predictable path under /temp/ with a hashed filename. An attacker can directly request the uploaded PHP file, causing its execution on the server [1].

Impact

Successful exploitation grants an attacker arbitrary code execution on the underlying web server with the privileges of the web application user. This can lead to complete compromise of the application, data exfiltration, or further lateral movement within the network.

Mitigation

As of the publication date (June 2024), Softexpert has not released a patch for this vulnerability in the v2.1 branch. Users are advised to restrict access to the vulnerable endpoint via web server rules, implement strict file upload validation (e.g., block .php extension, validate MIME type), or upgrade to a supported version if available.