CVE-2024-8294 Overview
CVE-2024-8294 is an unrestricted file upload vulnerability affecting FeehiCMS versions up to 2.1.1. The flaw resides in the update function of /admin/index.php?r=friendly-link/update, where the FriendlyLink[image] parameter accepts attacker-controlled files without proper validation [CWE-434]. Authenticated attackers can upload arbitrary files remotely over the network.
The vulnerability was publicly disclosed and the exploit details are available. The vendor was contacted prior to disclosure but did not respond. No official patch has been published at the time of writing.
Critical Impact
Authenticated attackers can upload arbitrary files to the FeehiCMS server through the friendly-link administration endpoint, potentially leading to webshell deployment and remote code execution.
Affected Products
- FeehiCMS versions up to and including 2.1.1
- Installations exposing /admin/index.php?r=friendly-link/update
- Deployments where low-privileged admin accounts can reach the friendly-link module
Discovery Timeline
- 2024-08-29 - CVE-2024-8294 published to NVD
- 2024-08-30 - Last updated in NVD database
Technical Details for CVE-2024-8294
Vulnerability Analysis
The vulnerability is an unrestricted file upload classified under [CWE-434]. FeehiCMS exposes a friendly-link management feature in its administrative interface at /admin/index.php?r=friendly-link/update. The update function processes the FriendlyLink[image] argument without enforcing restrictions on file type, extension, or content.
An attacker with access to the affected endpoint can submit a crafted request containing an executable PHP payload disguised as an image. Once uploaded, the file is written to a location accessible by the web server, allowing direct invocation through an HTTP request.
The EPSS probability score is 0.218%, indicating low observed exploitation activity at this time. The attack is launched remotely and requires authenticated access to the admin module.
Root Cause
The root cause is missing validation in the friendly-link update handler. The application accepts the FriendlyLink[image] parameter as a trusted upload, omitting MIME checks, extension allowlisting, and content inspection. The uploaded file is stored within the web root without sanitization or renaming.
Attack Vector
The attack is network-based and targets the administrative endpoint. The attacker authenticates with a low-privileged admin account, submits a POST request to /admin/index.php?r=friendly-link/update containing a malicious file in the FriendlyLink[image] field, and then requests the uploaded file directly to trigger server-side execution. Public disclosure of the exploit increases the likelihood of opportunistic abuse against exposed instances.
No verified proof-of-concept code is referenced in trusted advisories beyond the Gitee Vulnerability Article and the VulDB entry #276069.
Detection Methods for CVE-2024-8294
Indicators of Compromise
- Unexpected files with executable extensions (.php, .phtml, .phar) stored in FeehiCMS upload directories used by the friendly-link module
- HTTP POST requests to /admin/index.php?r=friendly-link/update carrying multipart payloads in the FriendlyLink[image] field with non-image content
- Subsequent GET requests to uploaded asset paths returning dynamic responses rather than static image data
- Outbound network connections initiated by the PHP worker process shortly after a friendly-link update event
Detection Strategies
- Inspect web server access logs for POST requests to the friendly-link update route followed by direct retrieval of newly written files in the uploads directory
- Apply web application firewall rules that validate Content-Type and magic bytes on multipart uploads to administrative endpoints
- Monitor file integrity in FeehiCMS upload directories to flag the creation of files with server-executable extensions
Monitoring Recommendations
- Forward FeehiCMS application logs and web server logs to a centralized analytics platform for retention and correlation
- Alert on PHP worker processes spawning shells, network utilities, or scripting interpreters after admin module activity
- Track authentication events for the FeehiCMS admin panel and correlate failed logins with subsequent friendly-link updates
How to Mitigate CVE-2024-8294
Immediate Actions Required
- Restrict access to /admin/index.php using IP allowlisting, VPN, or reverse-proxy authentication until a vendor fix is available
- Audit existing files in FeehiCMS upload directories and remove any unauthorized scripts or non-image artifacts
- Rotate credentials for all FeehiCMS administrator accounts and enforce strong password policies
- Disable PHP execution within upload directories at the web server configuration layer
Patch Information
No vendor patch has been published for CVE-2024-8294. The vendor did not respond to disclosure attempts per the NVD record. Operators should monitor the FeehiCMS project for future updates and consider migration to an actively maintained CMS if a fix does not materialize.
Workarounds
- Configure the web server to deny execution of .php and other interpreter extensions within FeehiCMS upload paths
- Place a web application firewall in front of the admin interface and block multipart uploads where the file content does not match an image MIME signature
- Remove or disable the friendly-link module if it is not required for site operations
- Restrict admin panel exposure to the public internet and require multi-factor authentication for administrative sessions
# Example nginx configuration to block PHP execution in upload directories
location ~* ^/uploads/.*\.(php|phtml|phar|php5|pht)$ {
deny all;
return 403;
}
# Restrict admin panel access by source IP
location /admin/ {
allow 10.0.0.0/8;
deny all;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
