CVE-2024-8296 Overview
CVE-2024-8296 is an unrestricted file upload vulnerability in FeehiCMS up to version 2.1.1. The flaw resides in the insert function of /admin/index.php?r=user%2Fcreate and is triggered through manipulation of the User[avatar] argument. An authenticated remote attacker with low privileges can upload arbitrary files to the server, potentially leading to code execution within the application context. The exploit details have been disclosed publicly, increasing the risk of opportunistic attacks. The vendor was notified prior to disclosure but did not respond, leaving deployments without an official patch path.
Critical Impact
Authenticated attackers can upload arbitrary files through the user creation avatar parameter, enabling persistent web shell installation and remote code execution on affected FeehiCMS instances.
Affected Products
- FeehiCMS versions up to and including 2.1.1
- feehi:feehicms component packaged in self-hosted deployments
- Administrative interface exposed at /admin/index.php?r=user/create
Discovery Timeline
- 2024-08-29 - CVE-2024-8296 published to NVD
- 2024-08-30 - Last updated in NVD database
Technical Details for CVE-2024-8296
Vulnerability Analysis
The vulnerability is classified under [CWE-434] Unrestricted Upload of File with Dangerous Type. FeehiCMS exposes a user creation endpoint at /admin/index.php?r=user%2Fcreate that accepts an avatar file through the User[avatar] parameter. The insert function processes this parameter without enforcing restrictions on file extension, MIME type, or content. An attacker who holds low-privileged access to the administration panel can submit a request that places executable content into a web-accessible directory. Because FeehiCMS is built on PHP, an uploaded .php file served from a writable directory can be invoked directly through an HTTP request, granting code execution within the web server process.
Root Cause
The root cause is missing server-side validation of uploaded file content within the user avatar handler. The application trusts the client-supplied filename and content type, omitting allowlist checks, magic byte verification, and storage isolation. The avatar file is written to a path reachable by the web server, allowing the PHP interpreter to execute it.
Attack Vector
The attack is initiated remotely over the network. An authenticated user submits a multipart POST request to the user creation route with a malicious PHP payload supplied through the User[avatar] field. After upload, the attacker requests the resulting URL, triggering execution of the embedded code. Public disclosure of the exploit on VulDB and Gitee lowers the barrier for adversaries. Refer to the Gitee Vulnerability Report and VulDB #276071 for proof-of-concept artifacts.
Detection Methods for CVE-2024-8296
Indicators of Compromise
- POST requests to /admin/index.php?r=user/create containing a User[avatar] field with non-image extensions such as .php, .phtml, or .phar.
- Newly created files in the FeehiCMS avatar upload directory with executable server-side extensions.
- Outbound connections originating from the PHP-FPM or web server process following an avatar upload.
- Web server access logs showing direct GET requests to recently uploaded avatar filenames.
Detection Strategies
- Inspect HTTP request bodies to the user creation endpoint for file uploads whose content does not match image magic bytes (FFD8FF, 89504E47, 47494638).
- Alert on creation of files with PHP-executable extensions under web-accessible upload paths.
- Correlate administrative authentication events with subsequent file-write operations on the web root.
Monitoring Recommendations
- Forward web server and application logs to a centralized analytics platform and retain administrative endpoint traffic for review.
- Monitor file integrity of FeehiCMS upload directories for additions of non-image content.
- Track process lineage where the web server spawns shells, interpreters, or networking utilities.
How to Mitigate CVE-2024-8296
Immediate Actions Required
- Restrict access to /admin/ paths through IP allowlisting, VPN, or reverse-proxy authentication.
- Disable PHP execution within the avatar upload directory using web server configuration.
- Rotate administrative credentials and review user accounts created after August 2024 for suspicious activity.
- Audit upload directories for files that do not conform to expected image formats and remove unauthorized artifacts.
Patch Information
The vendor was contacted but did not respond, and no official patch is available at the time of disclosure. Operators should treat FeehiCMS 2.1.1 and earlier as unpatched and apply compensating controls. Track upstream activity through the VulDB CTI #276071 entry for updates.
Workarounds
- Configure the web server to deny execution of .php, .phtml, and .phar files inside the uploads directory using Files directives in Apache or location blocks in nginx.
- Place a web application firewall rule that blocks multipart uploads to /admin/index.php?r=user/create where the filename extension is not .jpg, .jpeg, .png, or .gif.
- Enforce server-side validation by patching the insert function locally to verify MIME type and magic bytes before saving.
- Store uploaded files outside the document root and serve them through a controlled handler that sets Content-Type explicitly.
# Configuration example: nginx block to prevent PHP execution in uploads
location ~* /uploads/.*\.(php|phtml|phar)$ {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
