CVE-2021-47753
BaseFortify
Publication date: 2026-01-15
Last updated on: 2026-01-15
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| phpkf | cms | 3.00_beta_y6 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in phpKF CMS 3.00 Beta y6 allows an unauthenticated attacker to upload a malicious PHP file disguised as a PNG image by bypassing superficial file extension checks. The attacker can then rename the uploaded file from .png to .php and execute arbitrary system commands remotely through a web shell parameter, leading to remote code execution on the server. [1]
How can this vulnerability impact me? :
This vulnerability can lead to full remote code execution on the affected server, allowing attackers to run arbitrary system commands. This can result in unauthorized access, data theft, server compromise, defacement, or use of the server for malicious activities, severely impacting the security and integrity of your system. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of suspicious PHP files uploaded in directories intended for image uploads, especially files that were originally uploaded with a .png extension but renamed to .php. Network detection can involve monitoring HTTP requests to the upload endpoint (/phpkf-bilesenler/yukleme/index.php) and looking for POST requests that upload files or rename files. Additionally, you can attempt to access uploaded PHP files with a cmd parameter to see if system commands are executed. For example, you can use curl commands to test the upload and execution endpoints: 1. Check if the upload endpoint is accessible: curl -I http://target/phpkf-bilesenler/yukleme/index.php 2. Attempt to upload a PHP file disguised as an image (requires authentication or user creation as per exploit): curl -F "[email protected]" http://target/phpkf-bilesenler/yukleme/index.php 3. Attempt to rename the uploaded file to .php via POST request. 4. Test execution by accessing: http://target/path/evil.php?cmd=id or http://target/path/evil.php?cmd=whoami Monitoring web server logs for unusual file uploads or accesses to .php files in image directories can also help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1. Disable or restrict the file upload functionality to prevent unauthenticated uploads. 2. Implement strict server-side validation of uploaded files, ensuring that only allowed file types are accepted and that file extensions cannot be changed post-upload. 3. Restrict permissions on upload directories to prevent execution of uploaded files. 4. Monitor and remove any suspicious files, especially PHP files in upload directories. 5. Apply any available patches or updates from the vendor addressing this vulnerability. 6. If possible, restrict access to the upload endpoints to authenticated and authorized users only. 7. Review web server and application logs for signs of exploitation and respond accordingly. [1]