CVE-2024-7329 Overview
CVE-2024-7329 is an unrestricted file upload vulnerability in YouDianCMS 7, a Chinese content management system. The flaw resides in the image_upload.php script located at /Public/ckeditor/plugins/multiimage/dialogs/image_upload.php. Attackers can manipulate the files argument to upload arbitrary files to the server without proper validation. The weakness is categorized under CWE-434 (Unrestricted Upload of File with Dangerous Type). Remote exploitation is possible and the exploit details have been disclosed publicly. The vendor was contacted prior to disclosure but did not respond.
Critical Impact
Remote attackers with low-privilege access can upload arbitrary files through the CKEditor multiimage upload endpoint, potentially leading to webshell deployment and server compromise.
Affected Products
- YouDianCMS 7.0
- CKEditor multiimage plugin component within YouDianCMS
- Deployments exposing /Public/ckeditor/plugins/multiimage/dialogs/image_upload.php
Discovery Timeline
- 2024-07-31 - CVE-2024-7329 published to NVD with identifier VDB-273252
- 2024-08-23 - Last updated in NVD database
Technical Details for CVE-2024-7329
Vulnerability Analysis
The vulnerability exists in the multiimage upload dialog shipped with the bundled CKEditor instance in YouDianCMS 7. The image_upload.php handler accepts the files parameter without enforcing restrictions on file extension, MIME type, or content. An authenticated attacker with low-level privileges can submit a crafted multipart request that places executable PHP files into a web-accessible directory. Once written, the attacker can request the uploaded file directly to trigger server-side execution. The file upload endpoint is reachable over the network, requires no user interaction, and provides a reliable path to command execution on the host. Public disclosure of the proof-of-concept increases the likelihood of opportunistic scanning and exploitation against exposed YouDianCMS instances.
Root Cause
The root cause is missing server-side validation of uploaded file types in the image_upload.php handler. The script trusts client-supplied input for the files parameter and writes content to disk without verifying that the resource is a legitimate image. There is no extension allowlist, no content-type inspection, and no enforcement of a non-executable storage path.
Attack Vector
An attacker authenticated to the application sends an HTTP POST request to /Public/ckeditor/plugins/multiimage/dialogs/image_upload.php with a malicious PHP payload disguised as an image. The server stores the file in a directory served by the web application. The attacker then issues a follow-up GET request to the uploaded path, which triggers PHP execution and yields command execution in the context of the web server user. See the VulDB advisory and the Shikangsi Wiki write-up for additional technical references.
Detection Methods for CVE-2024-7329
Indicators of Compromise
- HTTP POST requests to /Public/ckeditor/plugins/multiimage/dialogs/image_upload.php originating from unexpected IP ranges
- New files with executable extensions (.php, .phtml, .phar) appearing in CKEditor upload directories
- Web server processes spawning shell interpreters or outbound connections shortly after upload activity
- Access logs showing GET requests to recently uploaded files in /Public/ckeditor/ paths
Detection Strategies
- Inspect web server logs for POST requests targeting the vulnerable endpoint paired with subsequent GET requests to non-image files in the same directory tree
- Deploy file integrity monitoring on CKEditor upload directories to flag creation of non-image artifacts
- Apply web application firewall rules that block uploads whose magic bytes or extensions do not match image/* MIME types
Monitoring Recommendations
- Forward web server access logs and PHP error logs to a centralized analytics platform for correlation
- Alert on web server user accounts executing sh, bash, cmd.exe, or network utilities
- Track outbound connections from the PHP-FPM or Apache worker processes against known threat intelligence feeds
How to Mitigate CVE-2024-7329
Immediate Actions Required
- Restrict network access to /Public/ckeditor/plugins/multiimage/dialogs/image_upload.php using web server access controls or upstream firewall rules
- Audit CKEditor upload directories for unexpected .php, .phtml, or .phar files and remove any unauthorized artifacts
- Revoke or rotate credentials for any low-privilege accounts that could be abused to reach the upload endpoint
- Configure the web server to disable PHP execution within upload directories
Patch Information
No vendor patch is available. The YouDianCMS vendor did not respond to coordinated disclosure attempts referenced in the VulDB submission. Operators should treat YouDianCMS 7.0 deployments as unmaintained for this issue and apply compensating controls until an official fix is released.
Workarounds
- Block direct HTTP access to the image_upload.php script at the reverse proxy or web server layer
- Add server-side filters that reject uploads whose extensions or MIME types are not on a strict image allowlist
- Move CKEditor upload directories outside the web root or serve them through a handler that disables script interpretation
- Consider migrating to a maintained CMS platform if a vendor fix is not forthcoming
# Apache: deny direct access to the vulnerable upload script
<Files "image_upload.php">
Require all denied
</Files>
# Apache: disable PHP execution inside CKEditor upload directories
<Directory "/var/www/html/Public/ckeditor/">
php_admin_flag engine off
AddType text/plain .php .phtml .phar
</Directory>
# Nginx equivalent: return 403 for the vulnerable endpoint
location = /Public/ckeditor/plugins/multiimage/dialogs/image_upload.php {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
