Executive Summary

CVE-2025-15423 is a file upload restriction bypass vulnerability in EmpireSoft EmpireCMS up to version 8.0. It exists in the CheckSaveTranFiletype() function in the file e/class/connect.php, which uses a blacklist to block dangerous file types but fails to block critical files such as .htaccess and .user.ini. This allows an attacker with member-level privileges to upload malicious configuration files that enable Remote Code Execution (RCE) on Apache and Nginx servers. For example, on Apache, uploading a .htaccess file can enable PHP execution for files with a .jpg extension, allowing an attacker to upload a webshell and execute arbitrary commands. On Nginx with PHP-FPM, uploading a .user.ini file can cause PHP to automatically include malicious code, facilitating code execution. The vulnerability also bypasses checks for .php. (trailing dot) and .php::$DATA (NTFS Alternate Data Stream) on Windows systems. The impact includes arbitrary system command execution, file read/write access, full server compromise, and exposure of sensitive data. [1, 2, 3]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unrestricted file uploads of malicious configuration files, enabling attackers to execute arbitrary code remotely on the affected server. This can result in full server compromise, including the ability to run system commands, read and write files, and access sensitive information such as database credentials. Ultimately, this can lead to loss of confidentiality, integrity, and availability of the system and data hosted on the server. [1, 2, 3]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by searching for the presence of the vulnerable file e/class/connect.php in EmpireCMS installations and by checking for suspicious uploaded files such as .htaccess, .user.ini, or files with extensions like .php. or .php::$DATA that bypass the blacklist. Additionally, Google Dorking can be used to identify vulnerable targets using queries like inurl:e/class/connect.php. On the system, you can look for unexpected .htaccess or .user.ini files in upload directories or check web server logs for unusual requests to files like shell.jpg with command parameters. Example commands include: 1) Using find to locate suspicious files: find /var/www/html -type f \( -name ".htaccess" -o -name ".user.ini" -o -name "*.php." -o -name "*.php::$DATA" \) 2) Using grep to search for suspicious PHP code in uploaded files: grep -r "<?php system" /var/www/html/uploads/ 3) Using Google Dork: inurl:e/class/connect.php to find potentially vulnerable sites. [3, 1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include extending the blacklist in the CheckSaveTranFiletype() function to explicitly block .htaccess and .user.ini files, which are currently not blocked. Ideally, replace the blacklist approach with a whitelist validation function that only allows safe file extensions such as .jpg, .jpeg, .png, .gif, .bmp, .pdf, .doc, .docx, .xls, .xlsx, .txt, .zip, and .rar. Additionally, restrict file upload permissions to trusted users only, disable AllowOverride in Apache to prevent .htaccess from being processed if possible, and monitor upload directories for suspicious files. Since no vendor patch or official fix is available, these steps help reduce the risk of exploitation. [1]

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows attackers to upload malicious files leading to remote code execution, full server compromise, and exposure of database credentials and sensitive data. Such exposure and unauthorized access to sensitive personal or protected health information could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding sensitive data against unauthorized access and breaches. Therefore, exploitation of this vulnerability can negatively impact compliance with these standards by risking confidentiality and integrity of protected data. [1, 3]

Useful 0 Not Useful 0