CVE-2024-1036 Overview
CVE-2024-1036 is an unrestricted file upload vulnerability affecting openBI versions up to 1.0.8. The flaw resides in the uploadIcon function within /application/index/controller/Screen.php, part of the Icon Handler component. Attackers can exploit this issue remotely without authentication or user interaction. The vulnerability has been publicly disclosed under identifier VDB-252311, increasing the risk of opportunistic exploitation. Successful exploitation allows attackers to upload arbitrary files, which typically leads to remote code execution on the underlying web server. The weakness is classified under [CWE-434] Unrestricted Upload of File with Dangerous Type.
Critical Impact
Unauthenticated remote attackers can upload arbitrary files to vulnerable openBI deployments, leading to full system compromise of the application host.
Affected Products
- openBI versions up to and including 1.0.8
- Component: Icon Handler (/application/index/controller/Screen.php)
- Vulnerable function: uploadIcon
Discovery Timeline
- 2024-01-30 - CVE-2024-1036 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-1036
Vulnerability Analysis
The vulnerability stems from missing validation in the uploadIcon function inside /application/index/controller/Screen.php. The handler accepts uploaded files intended to be icons but fails to enforce restrictions on file type, extension, or content. Attackers can submit a crafted HTTP POST request containing a server-side script disguised as an icon. Once written to a web-accessible directory, the file can be requested directly to execute attacker-controlled code in the application context.
Because openBI is a PHP application built on the ThinkPHP framework, uploaded PHP files typically execute under the same privileges as the web server process. This grants attackers a direct path to data exfiltration, persistence, and lateral movement within the host environment.
Root Cause
The root cause is the absence of allowlist-based MIME type and extension validation in the icon upload routine. The function trusts client-supplied metadata and writes the file to a predictable storage location without renaming, sanitizing, or stripping executable extensions. This pattern matches [CWE-434] Unrestricted Upload of File with Dangerous Type.
Attack Vector
Exploitation requires only network access to the openBI application. The attacker sends a multipart form-data POST request to the uploadIcon endpoint with a malicious .php payload. After upload, the attacker issues a follow-up GET request to the resulting file path to trigger code execution. No authentication or user interaction is required, and the exploit has been disclosed publicly via VulDB and the Zhao Jin Note Summary writeup.
No verified proof-of-concept code is included here. Refer to the VulDB entry for VDB-252311 for additional technical context on the disclosed exploit.
Detection Methods for CVE-2024-1036
Indicators of Compromise
- Unexpected .php, .phtml, or .phar files written under openBI upload directories used by the Icon Handler
- HTTP POST requests targeting /application/index/controller/Screen.php or routes resolving to the uploadIcon action with non-image content types
- Outbound network connections originating from the web server process to unfamiliar hosts shortly after icon upload activity
- Web shell-style GET requests to recently created files within icon storage paths
Detection Strategies
- Inspect web server access logs for POST requests to icon upload endpoints followed by GET requests to newly created files
- Hash and inventory all files in icon upload directories, then alert on any file whose extension or magic bytes do not match image formats
- Deploy web application firewall rules that block multipart uploads containing PHP tags (<?php, <?=) to openBI endpoints
Monitoring Recommendations
- Enable file integrity monitoring on the openBI public/ and upload directories to detect anomalous writes
- Forward web server, PHP-FPM, and operating system process telemetry to a centralized analytics platform for correlation
- Monitor PHP worker processes for unexpected child processes such as sh, bash, nc, or curl, which often follow a successful web shell drop
How to Mitigate CVE-2024-1036
Immediate Actions Required
- Restrict network access to openBI instances to trusted administrative networks until a fix is applied
- Audit upload directories for unauthorized files and remove any non-image content
- Revoke and rotate credentials, tokens, and database secrets accessible from the openBI host if compromise is suspected
- Place a web application firewall in front of openBI to block requests uploading executable content to the uploadIcon handler
Patch Information
At the time of NVD publication, the vendor had not published an official advisory or fixed release referenced in NVD. Operators should monitor the openBI project for updates beyond version 1.0.8 and review the VulDB advisory for any vendor response. If no patch is available, apply the workarounds below.
Workarounds
- Disable or remove the uploadIcon route in /application/index/controller/Screen.php if icon upload functionality is not required
- Configure the web server to deny script execution within the icon upload directory using directives such as php_admin_flag engine off for Apache or removing PHP handler mapping in Nginx
- Enforce server-side allowlist validation that checks both file extension and magic bytes against permitted image formats (.png, .jpg, .gif, .svg)
- Rename uploaded files to randomized identifiers without preserving the client-supplied extension
# Nginx example: prevent PHP execution inside the icon upload directory
location ^~ /public/upload/icon/ {
location ~ \.(php|phtml|phar)$ {
deny all;
return 403;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
