CVE-2024-3705 Overview
CVE-2024-3705 is an unrestricted file upload vulnerability affecting OpenGnsys version 1.1.1d (Espeto). This vulnerability allows an attacker to send a POST request to the endpoint /opengnsys/images/M_Icons.php while modifying the file extension. Due to a lack of file extension verification, this can result in webshell injection, allowing attackers to execute arbitrary code on the affected server.
Critical Impact
This vulnerability enables attackers with low-privilege access to upload malicious files (webshells) to the server, potentially leading to full system compromise with high impact on confidentiality, integrity, and availability.
Affected Products
- OpenGnsys version 1.1.1d (Espeto)
- OpenGnsys installations using the vulnerable /opengnsys/images/M_Icons.php endpoint
Discovery Timeline
- 2024-04-12 - CVE-2024-3705 published to NVD
- 2025-11-04 - Last updated in NVD database
Technical Details for CVE-2024-3705
Vulnerability Analysis
This vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). The /opengnsys/images/M_Icons.php endpoint in OpenGnsys version 1.1.1d fails to properly validate the file extension of uploaded files. When processing POST requests, the application does not verify that uploaded files have safe extensions, allowing attackers to upload executable files such as PHP webshells.
Once a webshell is uploaded, an attacker can execute arbitrary commands on the server with the privileges of the web server process. This can lead to data exfiltration, lateral movement within the network, installation of persistent backdoors, or complete system takeover.
Root Cause
The root cause is missing file extension verification in the M_Icons.php file upload handler. The application accepts file uploads without checking whether the submitted file has a dangerous extension (such as .php, .phtml, or other executable types). This allows attackers to bypass intended restrictions by simply modifying the file extension in the POST request.
Attack Vector
The attack vector is network-based, requiring the attacker to have low-privilege authenticated access to the OpenGnsys web interface. The attacker crafts a malicious POST request to the /opengnsys/images/M_Icons.php endpoint, uploading a PHP webshell disguised with a modified extension. Once the file is uploaded and accessible on the server, the attacker can execute the webshell to run arbitrary commands.
The exploitation process involves:
- Authenticating to the OpenGnsys application with low-privilege credentials
- Crafting a POST request to /opengnsys/images/M_Icons.php with a malicious PHP file
- Modifying the file extension to bypass any client-side validation
- Accessing the uploaded webshell to execute system commands
Detection Methods for CVE-2024-3705
Indicators of Compromise
- Unexpected PHP files or files with executable extensions in the /opengnsys/images/ directory
- Web server access logs showing POST requests to /opengnsys/images/M_Icons.php with unusual file names or extensions
- Newly created files with recent timestamps in web-accessible directories
- Process spawning from the web server process (e.g., www-data or apache executing shell commands)
Detection Strategies
- Monitor HTTP POST requests to /opengnsys/images/M_Icons.php for suspicious file uploads, particularly those with PHP or executable extensions
- Implement file integrity monitoring on web-accessible directories to detect unauthorized file creation
- Review web server access logs for anomalous upload patterns or requests from unexpected sources
- Deploy web application firewall (WAF) rules to block uploads of dangerous file types to sensitive endpoints
Monitoring Recommendations
- Enable detailed logging for the OpenGnsys web application, particularly for file upload operations
- Configure alerts for new file creation events in the /opengnsys/images/ directory
- Monitor for outbound connections from the web server that may indicate webshell command-and-control activity
- Implement regular directory scanning to identify files with executable extensions in upload directories
How to Mitigate CVE-2024-3705
Immediate Actions Required
- Apply the security patch provided by OpenGnsys immediately (see OpenGNSys Security Patch)
- Audit the /opengnsys/images/ directory for any suspicious or unauthorized files
- Review web server access logs for evidence of exploitation attempts
- Restrict access to the OpenGnsys administrative interface to trusted networks only
- Consider temporarily disabling the file upload functionality until the patch is applied
Patch Information
OpenGnsys has released a security patch addressing this vulnerability. Organizations running OpenGnsys version 1.1.1d should apply the patch immediately. Detailed patch information and installation instructions are available from the OpenGNSys Security Patch page. Additional information about multiple OpenGnsys vulnerabilities can be found in the INCIBE CERT Vulnerability Notice.
Workarounds
- Implement server-side file extension whitelisting to only allow safe image file types (e.g., .png, .jpg, .gif)
- Configure the web server to prevent execution of PHP files in the upload directory using .htaccess or equivalent configuration
- Apply network-level access controls to restrict who can reach the OpenGnsys web interface
- Use a web application firewall to filter and block requests containing dangerous file extensions
# Apache configuration to prevent PHP execution in uploads directory
# Add to /etc/apache2/sites-available/opengnsys.conf or .htaccess in /opengnsys/images/
<Directory "/var/www/opengnsys/images">
php_admin_flag engine off
<FilesMatch "\.php$">
Require all denied
</FilesMatch>
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
