CVE-2024-10292 Overview
CVE-2024-10292 is an unrestricted file upload vulnerability [CWE-434] in ZZCMS 2023. The flaw resides in the 3/Ebak5.1/upload/ChangeTable.php script, where the savefilename parameter is processed without proper validation. Remote attackers can manipulate this parameter to upload arbitrary files to the server. The exploit details have been publicly disclosed, increasing the likelihood of opportunistic attacks against exposed installations. ZZCMS is a content management system widely used in Chinese-language web environments, and this issue affects the 2023 release.
Critical Impact
Authenticated remote attackers can upload arbitrary files through the savefilename parameter, potentially leading to web shell deployment and persistent server compromise.
Affected Products
- ZZCMS 2023
- File: 3/Ebak5.1/upload/ChangeTable.php
- Parameter: savefilename
Discovery Timeline
- 2024-10-23 - CVE-2024-10292 published to NVD
- 2024-10-30 - Last updated in NVD database
Technical Details for CVE-2024-10292
Vulnerability Analysis
The vulnerability is classified as an unrestricted file upload weakness [CWE-434]. The ZZCMS 2023 ChangeTable.php script accepts the savefilename argument from user-controlled input. The application fails to validate the file extension, content type, or destination path of the uploaded file. An attacker can supply a filename pointing to a server-executable extension such as .php. Once uploaded, the file becomes reachable through the web root and can execute server-side code on request.
The attack requires network access and low-level privileges, but no user interaction. Public disclosure of the exploit lowers the barrier for opportunistic abuse against exposed ZZCMS deployments.
Root Cause
The root cause is missing server-side input validation on the savefilename parameter inside 3/Ebak5.1/upload/ChangeTable.php. The application trusts the client-supplied filename and writes the uploaded content directly to disk. There is no allow-list of permitted extensions and no enforcement of a restricted upload directory outside the web root.
Attack Vector
An attacker sends a crafted HTTP request to the vulnerable ChangeTable.php endpoint. The request includes a manipulated savefilename value and the malicious file payload. The web server writes the file to a location accessible from the web root. The attacker then requests the uploaded file by URL, triggering server-side execution. Full technical detail is available in the GitHub Issue Discussion and VulDB #281561.
Detection Methods for CVE-2024-10292
Indicators of Compromise
- Unexpected .php, .phtml, or .phar files appearing under the 3/Ebak5.1/upload/ directory tree.
- HTTP POST requests to ChangeTable.php containing a savefilename parameter with script extensions.
- Web server access logs showing GET requests to newly created files immediately following an upload event.
- Outbound connections initiated by the web server process to unfamiliar IP addresses after suspicious upload activity.
Detection Strategies
- Inspect web server and WAF logs for requests targeting ChangeTable.php with non-image extensions in the savefilename field.
- Monitor file integrity on the ZZCMS web root and alert on the creation of executable scripts in upload directories.
- Correlate file creation events with subsequent HTTP requests to the same path within a short time window.
Monitoring Recommendations
- Enable verbose access logging on the web server hosting ZZCMS to capture full POST parameters where allowed by policy.
- Track new process execution from the web server user account, particularly shells or interpreters spawned from PHP.
- Forward web and host telemetry to a centralized SIEM or data lake for cross-correlation and retrospective hunting.
How to Mitigate CVE-2024-10292
Immediate Actions Required
- Restrict access to the 3/Ebak5.1/upload/ directory through network ACLs or authentication until a vendor fix is applied.
- Configure the web server to deny execution of PHP files within upload directories using directory-level handler overrides.
- Audit the upload directory for unauthorized files and remove any unrecognized scripts.
- Rotate administrative credentials and review user accounts for unauthorized additions.
Patch Information
At the time of NVD publication, no official vendor patch had been linked in the advisory. Track the GitHub Issue Discussion and the VulDB entry for updates. Until a fix is released, organizations should treat any internet-exposed ZZCMS 2023 installation as at risk and apply compensating controls.
Workarounds
- Place the Ebak5.1/upload/ path behind HTTP basic authentication or an IP allow-list at the reverse proxy.
- Deploy a web application firewall rule that blocks requests to ChangeTable.php containing savefilename values with executable extensions.
- Set filesystem permissions on the upload directory to prevent script execution by the web server user.
- Consider taking ZZCMS 2023 offline or migrating to a supported alternative if business requirements permit.
# Apache configuration to disable PHP execution in the ZZCMS upload directory
<Directory "/var/www/zzcms/3/Ebak5.1/upload">
php_admin_flag engine off
<FilesMatch "\.(php|phtml|phar|php5|php7)$">
Require all denied
</FilesMatch>
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
