Executive Summary

CVE-2021-47904 is an authenticated file upload vulnerability in PhreeBooks version 5.2.3's Image Manager component. It allows an authenticated user to upload malicious PHP files without proper file type restrictions. Once uploaded, these PHP files (web shells) can be accessed and executed remotely, enabling the attacker to run arbitrary system commands on the server. The vulnerability arises because the application does not validate or restrict file types during image uploads, permitting execution of malicious code. [1, 2, 3]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including remote code execution on the affected server. An attacker with valid credentials can upload a malicious PHP web shell, which allows them to execute arbitrary commands remotely. This can lead to full compromise of the server, unauthorized access to sensitive data, disruption of services, and potential further attacks within the network. [1, 2, 3]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized or suspicious authenticated file uploads to the Image Manager upload endpoint (`/index.php?&p=bizuno/image/manager&imgAction=upload`). Specifically, look for uploads of PHP files or files with unusual extensions such as `.php` or `.php3`. Additionally, checking web server logs for access to newly uploaded PHP files under `/myFiles/images/` can help identify exploitation attempts. Commands to detect this may include: 1. Using web server access logs to search for POST requests to the upload endpoint and GET requests to suspicious PHP files, e.g., `grep '/index.php?&p=bizuno/image/manager&imgAction=upload' /var/log/apache2/access.log` and `grep '/myFiles/images/.*\.php' /var/log/apache2/access.log`. 2. Searching for recently created PHP files in the upload directory, e.g., `find /path/to/myFiles/images/ -name '*.php' -mtime -7` to find PHP files created in the last 7 days. 3. Using network monitoring tools to detect unusual HTTP POST requests with multipart/form-data to the upload endpoint. 4. If you have access to the application, reviewing authenticated user activity logs for file uploads. Since exploitation requires authentication, monitoring for unusual or unauthorized user logins combined with file uploads is important. [1, 3]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include: 1. Restrict file types allowed in the Image Manager upload functionality to prevent uploading executable files such as PHP scripts. Implement strict server-side validation to only allow safe image formats (e.g., JPG, PNG, GIF). 2. Apply access controls to ensure only trusted users can upload files, and monitor user activities closely. 3. Remove any suspicious or unknown PHP files found in the upload directories, especially those with random alphanumeric names. 4. If possible, update or patch PhreeBooks ERP to a version where this vulnerability is fixed. 5. As a temporary measure, disable or restrict execution permissions on the upload directories to prevent execution of uploaded PHP files. 6. Monitor logs for signs of exploitation attempts and unauthorized access. 7. Change credentials for all users with upload privileges to prevent compromised accounts from being used. [1, 2, 3]

Useful 0 Not Useful 0