CVE-2024-8295: Feehi FeehiCMS RCE Vulnerability

CVE-2024-8295 Overview

CVE-2024-8295 is an unrestricted file upload vulnerability in FeehiCMS versions up to 2.1.1. The flaw resides in the createBanner function of /admin/index.php?r=banner%2Fbanner-create. Attackers can manipulate the BannerForm[img] argument to upload arbitrary files to the server. The vulnerability is remotely exploitable and has been publicly disclosed. The vendor was contacted prior to disclosure but did not respond, leaving installations without an official patch. This issue is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type).

Critical Impact

Authenticated attackers can upload arbitrary files through the banner creation endpoint, potentially leading to web shell deployment and remote code execution on the host running FeehiCMS.

Affected Products

• FeehiCMS versions up to and including 2.1.1
• Installations exposing /admin/index.php?r=banner%2Fbanner-create
• Deployments with administrative access available to lower-privileged users

Discovery Timeline

• 2024-08-29 - CVE-2024-8295 published to NVD
• 2024-08-30 - Last updated in NVD database

Technical Details for CVE-2024-8295

Vulnerability Analysis

The vulnerability exists in the banner creation workflow of FeehiCMS. The createBanner function processes the BannerForm[img] parameter without enforcing file type, extension, or content validation. An authenticated attacker submits a multipart request to /admin/index.php?r=banner%2Fbanner-create and supplies a file containing server-side script content instead of a legitimate image. Because the application does not restrict the upload, the file is written to a server-accessible directory. The attacker then requests the uploaded file directly, causing the web server to execute the embedded code.

Root Cause

The root cause is missing validation of user-supplied file uploads in the banner administration component. The application trusts the BannerForm[img] field for content type and extension and writes the file to disk under a predictable path. This pattern maps directly to CWE-434, where dangerous file types are accepted without sanitization or allowlisting.

Attack Vector

The attack is initiated over the network and requires low privileges, consistent with an authenticated session to the admin panel. No user interaction is required beyond the attacker's own request. After uploading a malicious file such as a PHP web shell, the attacker fetches it through the web server to gain code execution. Technical write-ups are available at the Gitee CVE Article and VulDB entry #276070.

Detection Methods for CVE-2024-8295

Indicators of Compromise

• POST requests to /admin/index.php?r=banner%2Fbanner-create containing BannerForm[img] with non-image MIME types or executable extensions such as .php, .phtml, or .phar.
• New files appearing in FeehiCMS banner upload directories with script extensions or unexpected MIME signatures.
• Outbound network connections originating from the web server process shortly after a banner upload event.
• Web server access logs showing direct GET requests to recently uploaded banner files followed by command-shell behavior.

Detection Strategies

• Inspect HTTP request bodies for BannerForm[img] fields and validate that the uploaded content matches an image signature.
• Compare file extensions against the declared Content-Type header to flag mismatches at the web application firewall layer.
• Monitor the web root and upload directories for new files with executable extensions using file integrity monitoring.

Monitoring Recommendations

• Enable verbose logging on the FeehiCMS admin endpoints and forward logs to a centralized analytics platform.
• Alert on child processes spawned by the web server user, such as php invoking sh, bash, or cmd.exe.
• Track authentication events for FeehiCMS administrator accounts and flag logins from unusual source addresses.

How to Mitigate CVE-2024-8295

Immediate Actions Required

• Restrict access to /admin/index.php using network ACLs, VPN, or IP allowlists until a vendor fix is published.
• Audit the FeehiCMS upload directories for unexpected files and remove any unauthorized scripts.
• Rotate credentials for all administrative accounts and enforce strong, unique passwords.
• Review web server logs for prior exploitation attempts referencing banner-create and BannerForm[img].

Patch Information

No vendor patch is available at the time of publication. The CVE record notes that the vendor did not respond to disclosure attempts. Organizations running FeehiCMS up to 2.1.1 should monitor the VulDB advisory for future updates and consider migrating to an actively maintained CMS if no fix is released.

Workarounds

• Deploy a web application firewall rule that blocks uploads to banner-create when the file extension is not in an allowlist of image types such as .jpg, .png, and .gif.
• Configure the web server to refuse execution of script files within banner upload directories using php_admin_flag engine off or equivalent.
• Apply server-side MIME validation through a reverse proxy that inspects file signatures before forwarding requests to FeehiCMS.

# Apache configuration to disable PHP execution in upload directories
<Directory "/var/www/feehicms/uploads/banner">
    php_admin_flag engine off
    AddType text/plain .php .phtml .phar .php5 .php7
    <FilesMatch "\.(php|phtml|phar|php5|php7)$">
        Require all denied
    </FilesMatch>
</Directory>