CVE-2024-31615

An attacker first renames a PHP webshell to a `.png` suffix to bypass front-end restrictions, then changes the suffix to `'php::$data'` in the upload request [ref_id=1]. The server's suffix filter checks `$strFileExtension == 'php'` but does not account for the Windows alternate data stream syntax `::$data`; when the file is written, Windows creates a file with a `.php` extension [ref_id=1]. The attacker can then access the uploaded URL and use a webshell tool to execute arbitrary commands on the server [ref_id=1].

The vulnerability resides in `vendor/thinkcmf/cmf-app/src/user/controller/UeditorController.php` [ref_id=1]. The `ueditorUpload` function (line 273) processes uploaded files, and the suffix check in lines 103-110 of the upload class only blocks exact `'php'` suffixes while allowing `'php::$data'` to pass [ref_id=1].

The advisory does not provide a patch diff [ref_id=1]. To remediate, the suffix validation logic must reject any extension containing `::` or other Windows alternate data stream syntax, and the allowed extension list should be enforced after stripping such artifacts [ref_id=1]. Additionally, the server should be configured to prevent execution of uploaded PHP files in the upload directory [ref_id=1].

1. Prepare a PHP webshell file (e.g., `shell.php`) containing `<?php @eval($_POST['cmd']);?>`. 2. Rename the file to `shell.png` to bypass front-end client-side checks. 3. Intercept the upload request and change the filename to `shell.php::$data` (or `shell.php::$dada` as shown in the advisory). 4. Send the request to the Ueditor upload endpoint. 5. Access the uploaded file URL (the server will have created `shell.php`). 6. Use a webshell tool (e.g., AntSword, Cknife) to connect and execute commands [ref_id=1].