CVE-2023-0455
published 2023-01-26CVE-2023-0455: Unrestricted Upload of File with Dangerous Type in GitHub repository unilogies/bumsys prior to v1.0.3-beta.
PriorityP260high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
5.75%
92.1th percentile
Unrestricted Upload of File with Dangerous Type in GitHub repository unilogies/bumsys prior to v1.0.3-beta.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bumsys_project | bumsys | — | — |
| bumsys_project | bumsys | — | — |
| bumsys_project | bumsys | — | — |
| unilogies | unilogies_bumsys | >= unspecified < v1.0.3-beta | v1.0.3-beta |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor multipart/form-data POST requests to /xhr/?module=settings&page=updateShop where the shopLogo field contains a filename with a server-side executable extension (e.g., .php) while the Content-Type is spoofed as image/png. ↗
- →Alert on POST requests to the /xhr/ endpoint with query parameters module=settings&page=updateShop, particularly from external or unexpected origins, as this is the vulnerable file upload handler. ↗
- →Detect file uploads where the declared Content-Type is an image type (e.g., image/png) but the filename extension is a PHP or other server-side script extension — a classic MIME-type bypass for unrestricted file upload. ↗
- →Look for the presence of the X-Requested-With: XMLHttpRequest header combined with the X-Csrf-Token header on upload requests to /xhr/ — this is the expected request pattern for exploitation of this endpoint. ↗
- ·The exploit was demonstrated against bumsys v1.0.3-beta; versions prior to v1.0.3-beta are also stated as vulnerable per the NVD advisory. Confirm the patched version before assuming remediation. ↗
- ·The server responds with HTTP 200 and 'Shop successfully updated.' even when a malicious PHP file is uploaded, meaning HTTP response codes alone cannot be used to distinguish successful exploitation from a legitimate shop update. ↗
- ·The exploit was tested on Windows 11 with XAMPP-8.2.0 and a PHP/7.0.33 backend (Apache/2.4.51). Detection rules should account for this stack but the vulnerability is not inherently OS-specific. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv3.07.6HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/172674/Bumsys-Business-Management-System-1.0.3-beta-Shell-Upload.htmlhttps://github.com/unilogies/bumsys/commit/a5beff7868ab63bf4ec752a1102f8da033c66b28https://huntr.dev/bounties/b5e9c578-1a33-4745-bf6b-e7cdb89793f7http://packetstormsecurity.com/files/172674/Bumsys-Business-Management-System-1.0.3-beta-Shell-Upload.htmlhttps://github.com/unilogies/bumsys/commit/a5beff7868ab63bf4ec752a1102f8da033c66b28https://huntr.dev/bounties/b5e9c578-1a33-4745-bf6b-e7cdb89793f7
2023-01-26
Published