-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| phpmyfaq/phpmyfaq | composer | = 3.2.5 | 3.2.6 |
Miggo AIRoot Cause AnalysisThe vulnerability chain relies on three key functions: 1) getFileExtension's failure to enforce valid extensions allows empty extension values, 2) getFileName's unsafe concatenation of user-controlled 'lang' parameter enables PHP extension injection, and 3) isValidMimeType's reliance on getimagesize() which is bypassable via specially crafted images. These functions collectively enable the .PHP file upload bypass as documented in the PoC and vulnerability analysis.
Attackers can upload malicious files containing executable code, allowing them to take control of the vulnerable system. This enables them to execute arbitrary commands, steal sensitive data, disrupt services, and potentially escalate their privileges, posing significant risks to the security and integrity of the system and its data.
In CategoryImage.php line 124, the getimagesize and isValidMimeType functions can be bypassed by uploading a fake .GIF file generated by gifsicle.
In CategoryImage.php line 85, the getFileExtension function returns an empty string when the content type doesnt match any of the following 3 mappings. Hence, its possible to just supply an invalid content type such as image/gif2 in step 3 of the PoC to make the function return an empty string.
In CategoryImage.php line 66, the getFileName function generate the filename by concatenating the categoryId, categoryName and fileExtension together. This allows us to save the file with a .PHP extension. (It should be possible to just set the payload in step 3 above to just .php but it doesnt work and im not sure why..)
I believe one of the ways to solve this vulnerability is by forcing the getFileExtension function to return one of the 3 mimetype instead of an empty string. This ensures that the uploaded file will have an image extension and will not execute as a PHP file.
KEV Misses 88% of Exploited CVEs- Get the report
PHPPHP