CVE-2024-22724

An attacker with local administrator access uploads a malicious file containing a GIF header (`GIF89a;`) followed by PHP code (e.g., `GIF89a;?php system($_GET['cmd']); ?>`). During the upload, the attacker intercepts the request with a tool like Burp Suite and changes the file extension from `.gif` to `.php` [ref_id=1]. The application accepts the manipulated file, and the attacker then accesses the uploaded `shell.php` file in its directory to achieve remote code execution [ref_id=1].

The vulnerability resides in the administrator profile photo upload feature, specifically the endpoints `POST /admin/upload` and `POST /admin/adminaccount/saveaccount` [ref_id=1]. The application fails to validate the file extension against the actual file content, allowing a file uploaded with a `.gif` extension to be later processed with a `.php` extension [ref_id=1].

No patch is available in the bundle. The advisory recommends implementing robust file type verification that checks the file header and content to ensure they match the expected type (e.g., GIF), using a whitelist of allowed file extensions, and conducting thorough file content inspection to verify the file adheres to the expected format [ref_id=1].

1. Log in as an administrator and navigate to the profile photo upload feature. 2. Prepare a file with content `GIF89a;?php system($_GET['cmd']); ?>` and name it `shell.gif`. 3. Intercept the upload request using Burp Suite. 4. Change the file extension from `shell.gif` to `shell.php` in the intercepted request. 5. Forward the request; the application will accept the file. 6. Access the uploaded `shell.php` file in its directory and append `?cmd=cat /etc/passwd` to execute arbitrary commands [ref_id=1].