CVE-2022-50912 Overview
CVE-2022-50912 is a critical file upload vulnerability affecting ImpressCMS 1.4.4 that stems from weak file extension sanitization in the content management system. This vulnerability allows attackers to bypass file upload restrictions by using alternative PHP file extensions such as .php2, .php6, .php7, .phps, and .pht, ultimately enabling arbitrary PHP code execution on the server.
The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type), which represents a significant security risk in web applications that accept user file uploads without proper validation and sanitization of file types.
Critical Impact
Successful exploitation allows remote attackers to upload malicious PHP files and achieve arbitrary code execution on vulnerable ImpressCMS servers, potentially leading to complete server compromise.
Affected Products
- ImpressCMS version 1.4.4
- ImpressCMS installations with default file upload configurations
- Web servers configured to execute alternative PHP file extensions
Discovery Timeline
- 2026-01-13 - CVE-2022-50912 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2022-50912
Vulnerability Analysis
The vulnerability exists in ImpressCMS 1.4.4's file upload handling mechanism, which fails to adequately validate and restrict file extensions during the upload process. While the application may block standard .php file extensions, the sanitization logic does not account for alternative PHP file extensions that Apache and other web servers may be configured to interpret as executable PHP code.
Attackers can exploit this weakness by crafting file uploads with extensions like .php2, .php6, .php7, .phps, or .pht. When these files are uploaded to the server and subsequently accessed via HTTP, the web server processes them as PHP scripts, executing any malicious code contained within.
This vulnerability is particularly dangerous because it requires no authentication to exploit via network access. The attack can be performed remotely with low complexity, and successful exploitation grants attackers the ability to execute arbitrary commands with the privileges of the web server process.
Root Cause
The root cause of CVE-2022-50912 lies in insufficient file extension validation within the ImpressCMS upload handler. The application implements a blocklist-based approach to file type validation that only checks for common executable extensions like .php, while failing to account for less common but equally dangerous PHP-executable extensions.
This represents a classic example of incomplete input validation, where the defensive mechanism relies on a known-bad list rather than implementing a more secure allowlist approach that explicitly permits only safe file types.
Attack Vector
The attack vector for this vulnerability is network-based, requiring no user interaction or prior authentication. An attacker can exploit this vulnerability through the following general approach:
- Identify an ImpressCMS 1.4.4 installation with file upload functionality
- Create a malicious PHP payload (e.g., web shell or reverse shell)
- Rename the payload file with an alternative PHP extension that bypasses validation
- Upload the file through the vulnerable file upload mechanism
- Navigate to the uploaded file's URL to trigger PHP code execution
- Achieve arbitrary command execution on the target server
For detailed technical implementation and proof-of-concept code, refer to the Exploit-DB #50890 entry and the VulnCheck Advisory on ImpressCMS.
Detection Methods for CVE-2022-50912
Indicators of Compromise
- Presence of files with unusual PHP extensions (.php2, .php6, .php7, .phps, .pht) in upload directories
- Web server access logs showing requests to files with alternative PHP extensions
- Unexpected PHP files in ImpressCMS upload folders that were not uploaded by administrators
- Web shell signatures or suspicious PHP code in uploaded files
Detection Strategies
- Implement file integrity monitoring on ImpressCMS upload directories to detect unauthorized file additions
- Configure web application firewalls (WAF) to inspect file upload requests for dangerous content types
- Review web server access logs for requests targeting files with alternative PHP extensions
- Deploy endpoint detection solutions to identify web shell activity and suspicious process execution from web server contexts
Monitoring Recommendations
- Enable detailed logging for all file upload operations within ImpressCMS
- Monitor for unusual outbound network connections originating from the web server process
- Set up alerts for new file creations in upload directories, particularly those with executable extensions
- Regularly audit uploaded files for malicious content using antivirus and file analysis tools
How to Mitigate CVE-2022-50912
Immediate Actions Required
- Upgrade ImpressCMS to the latest available version that addresses this vulnerability
- Review and remove any suspicious files with alternative PHP extensions from upload directories
- Implement server-side file type validation using allowlists rather than blocklists
- Consider restricting file upload functionality until patches can be applied
Patch Information
Organizations running ImpressCMS 1.4.4 should consult the ImpressCMS Official Website and the GitHub ImpressCMS Repository for security updates and patch information. It is recommended to upgrade to the latest stable release that addresses this file upload vulnerability.
Workarounds
- Configure the web server to prevent execution of PHP code from files with alternative extensions (.php2, .php6, .php7, .phps, .pht)
- Implement strict allowlist-based file type validation at the application level, permitting only explicitly safe file types
- Store uploaded files outside the web root or in directories where script execution is disabled
- Use .htaccess or server configuration to deny execution of any files in upload directories
# Apache configuration to disable PHP execution in upload directories
# Add to .htaccess in the upload directory or server configuration
<FilesMatch "\.(php|php2|php3|php4|php5|php6|php7|phps|pht|phtml)$">
Require all denied
</FilesMatch>
# Alternative: Disable all script handlers in upload directory
<Directory "/var/www/html/impresscms/uploads">
php_admin_flag engine off
RemoveHandler .php .phtml .php2 .php3 .php4 .php5 .php6 .php7 .phps .pht
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
