CVE-2024-0352 Overview
CVE-2024-0352 is an unrestricted file upload vulnerability in Likeshop versions up to 2.5.7.20210311. The flaw exists in the FileServer::userFormImage function within server/application/api/controller/File.php. Attackers can manipulate the file argument in HTTP POST requests to upload arbitrary files to the server. The vulnerability requires no authentication and can be exploited remotely over the network. The exploit details have been publicly disclosed under VulDB identifier VDB-250120, increasing the likelihood of opportunistic exploitation against exposed Likeshop deployments.
Critical Impact
Remote unauthenticated attackers can upload arbitrary files, including web shells, leading to full compromise of the underlying server.
Affected Products
- Likeshop versions up to and including 2.5.7.20210311
- Likeshop FileServer::userFormImage function in server/application/api/controller/File.php
- Deployments exposing the HTTP POST request handler to untrusted networks
Discovery Timeline
- 2024-01-09 - CVE-2024-0352 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-0352
Vulnerability Analysis
The vulnerability is classified as Unrestricted Upload of File with Dangerous Type [CWE-434]. The FileServer::userFormImage handler accepts file uploads through HTTP POST requests but fails to validate the file type, extension, or content. Attackers send a crafted multipart request with the file parameter set to a malicious payload such as a PHP web shell. Once uploaded, the attacker requests the file through the web server to execute arbitrary code in the application context.
The EPSS score of 91.891% places this vulnerability in the top percentile for predicted exploitation activity, reflecting the public availability of exploit details and the trivial exploitation requirements.
Root Cause
The root cause is missing server-side validation in the FileServer::userFormImage function. The handler does not enforce an allowlist of permitted file extensions or MIME types. It also does not verify file content using magic-byte inspection or sanitize the destination path. Files written into a web-accessible directory remain executable by the PHP interpreter, completing the path from upload to remote code execution.
Attack Vector
Exploitation is performed over the network without authentication or user interaction. An attacker submits an HTTP POST request to the vulnerable endpoint exposed by File.php, attaching a PHP file disguised as an image or submitted with an executable extension. The server stores the file in a publicly reachable directory. The attacker then issues a GET request to the uploaded file path, triggering execution and gaining a foothold on the host.
No authenticated code examples have been verified for this advisory. Refer to the VulDB entry #250120 and the Zhao Jin technical write-up for proof-of-concept details.
Detection Methods for CVE-2024-0352
Indicators of Compromise
- HTTP POST requests targeting /api/file/formimage or related routes resolving to FileServer::userFormImage
- New files with executable extensions such as .php, .phtml, or .php5 appearing in Likeshop upload directories
- Outbound connections from the web server process to unfamiliar IP addresses shortly after upload activity
- Web server access logs showing GET requests to recently uploaded files in upload paths
Detection Strategies
- Inspect web server and application logs for POST requests to the Likeshop file upload endpoint followed by GET requests to newly created files
- Deploy file integrity monitoring on the Likeshop upload directories to alert on creation of scripts or non-image content
- Use web application firewall rules to flag multipart uploads where the declared content type conflicts with the file extension or embedded magic bytes
Monitoring Recommendations
- Forward web server access logs and application logs into a centralized SIEM for correlation
- Alert on PHP interpreter execution originating from upload directories
- Monitor process creation on the host for shells or interpreters spawned by the PHP-FPM or web server parent process
How to Mitigate CVE-2024-0352
Immediate Actions Required
- Restrict network access to Likeshop administrative and API endpoints using firewall rules or IP allowlists
- Audit upload directories for unauthorized files and remove any unexpected scripts
- Disable PHP execution in directories used to store user-supplied uploads
- Review web server logs for prior exploitation indicators dating back to the application's exposure window
Patch Information
No vendor patch URL is referenced in the NVD record for CVE-2024-0352. Operators running Likeshop versions up to 2.5.7.20210311 should consult the Likeshop project repository for updates and apply any subsequent releases that address FileServer::userFormImage validation. Until an official patch is confirmed, treat all internet-facing Likeshop instances as exposed.
Workarounds
- Place Likeshop behind a reverse proxy that enforces strict content-type validation on file upload endpoints
- Configure the web server to refuse execution of PHP files within upload directories using directives such as php_admin_flag engine off
- Implement an application-layer allowlist proxy that only permits image MIME types and validates file magic bytes before forwarding requests
# Apache example: disable PHP execution in Likeshop upload directory
<Directory "/var/www/likeshop/server/public/uploads">
php_admin_flag engine off
AddType text/plain .php .phtml .php5 .phar
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
