CVE-2021-47964 Overview
CVE-2021-47964 is a remote code execution vulnerability affecting Schlix CMS version 2.2.6-6. Authenticated attackers can execute arbitrary PHP code by abusing the block manager extension upload functionality. The flaw resides in the core.blockmanager component, which fails to validate the contents of uploaded extension packages. An attacker uploads a crafted ZIP archive containing malicious PHP within the packageinfo.inc file. Code execution triggers when the attacker accesses the About tab of the installed extension. The issue is classified as [CWE-94] Improper Control of Generation of Code (Code Injection).
Critical Impact
Authenticated attackers with block manager access can achieve full remote code execution on the underlying web server, leading to complete site compromise.
Affected Products
- Schlix CMS 2.2.6-6
- Component: core.blockmanager
- Extension packaging subsystem (packageinfo.inc handling)
Discovery Timeline
- 2026-05-15 - CVE-2021-47964 published to NVD
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2021-47964
Vulnerability Analysis
The vulnerability stems from how Schlix CMS processes uploaded extension packages through the block manager. The application accepts ZIP archives as extension installers without validating the executable content embedded in metadata files. The packageinfo.inc file inside the package is interpreted as PHP when the administrator views the extension's About tab. This design treats untrusted attacker-supplied content as trusted server-side code. The Common Weakness Enumeration classifies this issue under [CWE-94], Improper Control of Generation of Code. Successful exploitation grants the attacker the same privileges as the PHP process, typically the web server user.
Root Cause
The root cause is the inclusion of an attacker-controlled file (packageinfo.inc) by the PHP interpreter without sanitization or restriction of executable code. Schlix CMS treats package metadata files as PHP scripts rather than parsing them as data, which directly violates separation between code and data.
Attack Vector
The attack requires authenticated access with permission to use the block manager. The attacker crafts a ZIP archive containing a packageinfo.inc file with arbitrary PHP payloads. After uploading the package as an extension, the attacker navigates to the installed extension and opens the About tab. The server then includes and executes the embedded PHP. A public proof of concept is available at Exploit-DB #49838 and the Vulncheck Advisory for Schlix CMS.
No verified exploit code is reproduced here. Refer to the linked advisories for technical proof-of-concept details.
Detection Methods for CVE-2021-47964
Indicators of Compromise
- Unexpected ZIP file uploads under the Schlix CMS extensions or blocks directory containing packageinfo.inc.
- New or modified PHP files within block manager extension directories that do not match the vendor distribution.
- Outbound network connections initiated by the PHP-FPM or Apache process to attacker-controlled hosts following an extension install.
- Web server logs showing POST requests to the block manager upload endpoint followed by requests to the About tab of a newly installed extension.
Detection Strategies
- Monitor file integrity on the Schlix CMS web root and flag any newly created packageinfo.inc content that contains PHP tags such as <?php.
- Inspect HTTP access logs for sequences of administrative uploads followed by extension About tab requests within a short time window.
- Hunt for PHP process spawning unexpected child processes such as sh, bash, nc, or curl.
Monitoring Recommendations
- Forward web server, PHP error, and audit logs to a centralized analytics platform for correlation against extension installation events.
- Alert on administrative authentication events from unfamiliar IP addresses or geographies that immediately precede extension uploads.
- Track outbound connections from the web server's PHP runtime to detect post-exploitation command-and-control activity.
How to Mitigate CVE-2021-47964
Immediate Actions Required
- Restrict access to the Schlix CMS administrative interface using network-level controls such as VPN or IP allowlisting.
- Audit all administrative accounts and remove block manager privileges from users who do not require them.
- Review recently installed extensions and remove any unrecognized or untrusted packages.
- Rotate credentials for all administrative accounts that may have been exposed.
Patch Information
No vendor patch is referenced in the available CVE data. Consult the Schlix Website for current release information and apply any updates released after version 2.2.6-6. Until a confirmed fixed release is available, operators should treat the block manager extension upload functionality as untrusted.
Workarounds
- Disable the block manager extension upload functionality if it is not required for daily operations.
- Enforce strict file upload validation at a reverse proxy or web application firewall to block ZIP archives containing PHP code.
- Configure the web server to prevent execution of PHP files within extension upload directories using directives such as php_admin_flag engine off.
- Apply principle of least privilege so the PHP process cannot write to or execute files outside required directories.
# Example Apache configuration to disable PHP execution in extension upload paths
<Directory "/var/www/schlix/public_html/extensions">
php_admin_flag engine off
AllowOverride None
Options -ExecCGI
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
