CVE-2022-23626
published 2022-02-08CVE-2022-23626: m1k1o/blog is a lightweight self-hosted facebook-styled PHP blog. Errors from functions `imagecreatefrom*` and `image*` have not been checked properly…
PriorityP265high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
9.87%
95.0th percentile
m1k1o/blog is a lightweight self-hosted facebook-styled PHP blog. Errors from functions `imagecreatefrom*` and `image*` have not been checked properly. Although PHP issued warnings and the upload function returned `false`, the original file (that could contain a malicious payload) was kept on the disk. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| blog_project | blog | < 1.4 | 1.4 |
| m1k1o | blog | < 1.4 | 1.4 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect multipart file uploads to /ajax.php?action=upload_image where the uploaded filename contains a double extension ending in .php (e.g., .gif.php, .jpg.php), indicating an attempt to disguise a PHP webshell as an image. ↗
- →Alert on HTTP GET requests to /data/i/*.php — the upload directory should never serve PHP files; execution of a file in this path indicates successful webshell placement. ↗
- →Detect uploaded files whose content begins with the GIF magic-byte spoof 'GIF;' but whose declared Content-Type is application/x-httpd-php, indicating a polyglot PHP webshell. ↗
- →Monitor for the specific multipart boundary string '-----------------------------13148889121752486353560141292' in HTTP requests to the blog application; this static boundary is hardcoded in the public exploit. ↗
- →Flag POST requests to /ajax.php carrying both 'X-Requested-With: XMLHttpRequest' and a 'Csrf-Token' header with a 10-character lowercase hex value, combined with a multipart body uploading a .php file. ↗
- →Detect outbound PHP reverse shell commands using fsockopen combined with exec('/bin/bash') spawned from the web server process, indicating successful RCE post-upload. ↗
- ·The vulnerability is authenticated — an attacker must possess valid blog credentials before exploiting the file upload. Detection should account for a preceding successful login POST to /ajax.php with action=login. ↗
- ·The root cause is that PHP image processing errors are not checked, so the original malicious file is retained on disk even when the image conversion fails. Blocking the upload endpoint alone is insufficient if the file is already written to /data/i/. ↗
- ·The exploit targets version 1.3 and below. Verify the installed version of m1k1o/blog before applying detection rules to avoid false positives on patched instances. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/167235/m1k1os-Blog-1.3-Remote-Code-Execution.htmlhttps://github.com/m1k1o/blog/commit/6f5e59f1401c4a3cf2e518aa85b231ea14e8a2efhttps://github.com/m1k1o/blog/security/advisories/GHSA-wmqj-5v54-24x4http://packetstormsecurity.com/files/167235/m1k1os-Blog-1.3-Remote-Code-Execution.htmlhttps://github.com/m1k1o/blog/commit/6f5e59f1401c4a3cf2e518aa85b231ea14e8a2efhttps://github.com/m1k1o/blog/security/advisories/GHSA-wmqj-5v54-24x4
2022-02-08
Published