cbcvebase.
CVE-2023-38836
published 2023-08-21

CVE-2023-38836: File Upload vulnerability in BoidCMS v.2.0.0 allows a remote attacker to execute arbitrary code by adding a GIF header to bypass MIME type checks.

PriorityP274high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
73.21%
99.4th percentile
File Upload vulnerability in BoidCMS v.2.0.0 allows a remote attacker to execute arbitrary code by adding a GIF header to bypass MIME type checks.

Affected

1 ranges
VendorProductVersion rangeFixed in
boidcmsboidcms

Detection & IOCsextracted from sources · hover to see the quote

url/admin?page=media
path/media/shell.php
filenameshell.php
commandcmd
  • Detect PHP webshell upload disguised with a GIF header to bypass MIME type checks — inspect uploaded files for a GIF magic bytes prefix (GIF89a or GIF8) followed by PHP code content, especially targeting the /media/ directory.
  • Alert on POST requests to /admin?page=media containing a multipart file upload where the uploaded filename ends in .php — this is the exploitation upload endpoint.
  • Alert on GET requests to /media/*.php with a 'cmd' query parameter — this indicates webshell command execution following a successful upload.
  • Monitor for the presence of PHP files (e.g., shell.php) appearing under the /media/ directory of a BoidCMS installation, which should normally contain only media assets.
  • ·Exploitation requires prior authentication to BoidCMS — the attacker must have valid credentials before abusing the file upload endpoint.
  • ·The vulnerability affects BoidCMS version 2.0.0 and below; the bypass relies on adding a GIF header to a PHP file to defeat server-side MIME type validation.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.