CVE-2026-1445 Overview
A vulnerability has been identified in iJason-Liu Books_Manager affecting the file upload functionality within controllers/books_center/upload_bookCover.php. This unrestricted file upload vulnerability allows attackers to manipulate the book_cover argument, potentially enabling the upload of malicious files to the server. The attack can be initiated remotely over the network, and exploit details have been publicly disclosed.
Critical Impact
Remote attackers with high privileges can exploit this unrestricted file upload vulnerability to potentially upload malicious files, leading to remote code execution or server compromise.
Affected Products
- iJason-Liu Books_Manager up to commit 298ba736387ca37810466349af13a0fdf828e99c
- Books_Manager rolling release versions prior to the security fix
Discovery Timeline
- January 26, 2026 - CVE-2026-1445 published to NVD
- January 27, 2026 - Last updated in NVD database
Technical Details for CVE-2026-1445
Vulnerability Analysis
This vulnerability stems from improper access control (CWE-284) in the Books_Manager application's book cover upload functionality. The affected endpoint upload_bookCover.php fails to properly validate and restrict the types of files that can be uploaded through the book_cover parameter.
The unrestricted file upload flaw allows authenticated users with elevated privileges to bypass intended file type restrictions. When exploited, an attacker could upload arbitrary files including PHP scripts, web shells, or other malicious content that could then be executed on the server.
The vulnerability exists in the Books_Manager project which uses a rolling release model, meaning specific version numbers are not available. The affected code is traceable up to commit 298ba736387ca37810466349af13a0fdf828e99c.
Root Cause
The root cause is improper access control and insufficient input validation in the file upload handler. The upload_bookCover.php controller does not adequately verify:
- File type/MIME type validation
- File extension whitelisting
- Content inspection of uploaded files
- Proper access control enforcement on the upload endpoint
This allows an attacker to bypass intended restrictions and upload files that should be prohibited, such as executable scripts or web shells.
Attack Vector
The attack is network-based and requires the attacker to have high-level privileges within the application. The exploitation flow involves:
- An authenticated attacker with elevated privileges accesses the book cover upload functionality
- The attacker crafts a malicious file (e.g., a PHP web shell) disguised or passed as an image
- The attacker submits the malicious file through the book_cover parameter to upload_bookCover.php
- Due to insufficient validation, the server accepts and stores the malicious file
- The attacker can then access the uploaded file to execute arbitrary code on the server
Technical details and proof-of-concept information have been published in the Y1Fan Blog Post detailing the getshell exploitation technique.
Detection Methods for CVE-2026-1445
Indicators of Compromise
- Unexpected files with executable extensions (.php, .phtml, .php5) in the book cover upload directory
- Web server logs showing POST requests to upload_bookCover.php with unusual file names or content types
- New or modified files in web-accessible directories that don't match expected image formats
- Outbound network connections from the web server process indicating potential command and control activity
Detection Strategies
- Monitor file system changes in the upload directories for non-image file types
- Implement web application firewall (WAF) rules to detect file upload attacks with suspicious file extensions
- Analyze HTTP POST requests to upload_bookCover.php for anomalous payloads or content types
- Review web server access logs for patterns consistent with web shell access attempts
Monitoring Recommendations
- Enable detailed logging for the Books_Manager application, particularly around file upload operations
- Configure file integrity monitoring (FIM) on web-accessible upload directories
- Set up alerts for new executable files appearing in expected image upload locations
- Monitor for unusual process spawning from the web server process (potential indicator of web shell execution)
How to Mitigate CVE-2026-1445
Immediate Actions Required
- Review and audit all files in the book cover upload directory for suspicious content
- Restrict network access to the Books_Manager application to trusted IP ranges if possible
- Implement additional authentication controls on the file upload endpoint
- Consider temporarily disabling the book cover upload functionality until a patch is available
Patch Information
The Books_Manager project uses a rolling release model, meaning specific version numbers for patched releases are not available. Users should update to the latest commit from the official repository and monitor for security updates. For additional vulnerability information, refer to VulDB #342874 and VulDB CTI ID #342874.
Workarounds
- Implement server-side file type validation that checks both file extensions and MIME types
- Configure the web server to prevent execution of uploaded files (e.g., disable PHP execution in upload directories)
- Add file content inspection to verify uploaded files are legitimate images
- Restrict upload directory permissions to prevent script execution
# Configuration example - Apache .htaccess to prevent PHP execution in upload directory
# Place in the book cover upload directory
# Disable PHP execution
<FilesMatch "\.ph(p[3-7]?|tml)$">
Require all denied
</FilesMatch>
# Only allow image files
<FilesMatch "\.(?i)(jpe?g|png|gif|webp)$">
Require all granted
</FilesMatch>
# Disable script handlers
RemoveHandler .php .phtml .php3 .php4 .php5 .php7
AddType text/plain .php .phtml .php3 .php4 .php5 .php7
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
