CVE-2025-60947 Overview
Census CSWeb 8.0.1 contains an arbitrary file upload vulnerability that allows a remote, authenticated attacker to upload a malicious file to the server. This vulnerability could potentially lead to remote code execution (RCE), enabling attackers to gain complete control over the affected system. The issue has been addressed in version 8.1.0 alpha.
Critical Impact
Authenticated attackers can upload arbitrary files, potentially achieving remote code execution and full system compromise on Census CSWeb 8.0.1 installations.
Affected Products
- Census CSWeb version 8.0.1
- CSProUsers CSWeb application
Discovery Timeline
- 2026-03-23 - CVE-2025-60947 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2025-60947
Vulnerability Analysis
This vulnerability (CWE-434: Unrestricted Upload of File with Dangerous Type) stems from insufficient validation of file uploads in Census CSWeb 8.0.1. The application fails to properly restrict the types of files that authenticated users can upload, allowing potentially malicious files such as PHP scripts or web shells to be placed on the server.
When a malicious file is successfully uploaded, an attacker can execute arbitrary code on the server by accessing the uploaded file through a web browser. This attack requires valid authentication credentials, meaning the attacker must first obtain legitimate user access to the system before exploiting this vulnerability.
The impact includes potential complete system compromise, data theft, lateral movement within the network, and the ability to use the compromised server as a pivot point for further attacks.
Root Cause
The root cause of CVE-2025-60947 is inadequate input validation and access control on file upload functionality. The application lacked proper restrictions on:
- File type validation - allowing dangerous file extensions to be uploaded
- Directory access controls - permitting direct access to sensitive folders and uploaded files
- Execution prevention - failing to block execution of uploaded scripts
The security patch introduces .htaccess rules to block access to sensitive directories and files, demonstrating that the original implementation did not implement defense-in-depth measures for file handling.
Attack Vector
The attack is network-based and requires low privileges (authenticated user). The attack sequence involves:
- An attacker authenticates to the CSWeb application with valid credentials
- The attacker uploads a malicious file (e.g., PHP web shell) through the file upload functionality
- The attacker accesses the uploaded file directly via the web server
- The malicious code executes with the web server's privileges, granting the attacker control over the system
The following security patch was applied to address the vulnerability by implementing access controls in the .htaccess file:
+# Block direct browser access to specific files
+<FilesMatch "^(\.DS_Store|\.htaccess|README\.md|\.gitignore|bower\.json|web\.config|composer\.json|composer\.lock|composer\.phar|api/web\.config|app/AppCache\.php|files/\.gitignore|maps/\.travis\.yml|app/AppKernel\.php|app/api/ApiKernel\.php)$">
+ <IfModule mod_authz_core.c>
+ # Apache v2.4 or later
+ Require all denied
+ </IfModule>
+ <IfModule mod_access_compat.c>
+ # Apache 2.2, 2.3, or compatibility mode in 2.4
+ Order allow,deny
+ Deny from all
+ </IfModule>
+</FilesMatch>
+
+RewriteEngine On
+
+# Block access to asset in specific folders, if we want to also block all asset files in a folder we must include the folder in this rule before the one below
+RewriteRule ^(vendor/phpunit)/ - [F,L]
+
+# Block sensitive folders unconditionally — no condition before this
+RewriteRule ^(var|tests|files|bin|\.git|less|maps|vendor|nbproject|templates|app/config|app/config/api|\.vscode)/ - [F,L]
+
+# If the request is for an actual file (css, js, images etc), serve it directly
+RewriteCond %{REQUEST_FILENAME} -f
+RewriteCond %{REQUEST_URI} \.(css|js|png|jpg|jpeg|woff2|woff|ttf|gif|ico)$
+RewriteRule ^ - [L]
Source: GitHub Commit Changes
Detection Methods for CVE-2025-60947
Indicators of Compromise
- Unexpected files with executable extensions (.php, .phtml, .asp, .aspx, .jsp) in upload directories
- Web server logs showing POST requests to file upload endpoints followed by GET requests to unusual file paths
- Presence of web shells or backdoor files in the files/, var/, or vendor/ directories
- Anomalous outbound network connections from the web server process
Detection Strategies
- Monitor file system activity for creation of new executable files in web-accessible directories
- Implement web application firewall (WAF) rules to detect and block file upload attacks targeting dangerous file types
- Review web server access logs for patterns indicating file upload exploitation (POST followed by direct file access)
- Deploy file integrity monitoring (FIM) on critical application directories
Monitoring Recommendations
- Enable detailed logging for file upload functionality within CSWeb
- Configure alerts for new file creation in upload directories with executable extensions
- Monitor Apache/web server error logs for access denial messages to sensitive directories (indicating potential reconnaissance)
- Implement network monitoring for unusual outbound connections from web server hosts
How to Mitigate CVE-2025-60947
Immediate Actions Required
- Upgrade Census CSWeb to version 8.1.0 alpha or later immediately
- Review upload directories for any suspicious or unexpected files and remove unauthorized content
- Implement additional access controls and file type restrictions at the web server level
- Audit user accounts for unauthorized access or suspicious activity
Patch Information
The vendor has released a security patch in CSWeb version 8.1.0 alpha. The fix implements proper access controls through .htaccess rules to block direct browser access to sensitive files and directories, prevent execution of files in upload folders, and restrict access to configuration and vendor directories. The patch commit is available at the CSWeb GitHub repository.
Workarounds
- Manually apply the .htaccess rules from the security patch if immediate upgrade is not possible
- Configure web server to deny direct access to var/, files/, vendor/, and other sensitive directories
- Implement file upload restrictions at the application layer to allow only specific, safe file types
- Place the CSWeb application behind a reverse proxy with additional security controls
# Configuration example - Add to .htaccess to block sensitive directories
RewriteEngine On
# Block access to sensitive folders
RewriteRule ^(var|tests|files|bin|\.git|vendor|templates|app/config)/ - [F,L]
# Only allow safe static file types to be served directly
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_URI} \.(css|js|png|jpg|jpeg|woff2|woff|ttf|gif|ico)$
RewriteRule ^ - [L]
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
