A vulnerability has been found in EmpireSoft EmpireCMS up to 8.0. Impacted is the function CheckSaveTranFiletype of the file e/class/connect.php. Such manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
EmpireCMS versions up to 8.0 are vulnerable to unrestricted file upload due to a flaw in the CheckSaveTranFiletype function within `e/class/connect.php**. This allows attackers to upload malicious files, potentially leading to remote code execution and complete system compromise.
Step 1: Target Identification: Identify a vulnerable EmpireCMS installation (version <= 8.0).
Step 2: Payload Preparation: Craft a malicious file (e.g., a PHP web shell) with a file extension that bypasses the validation checks (e.g., a double extension like .php.jpg or a crafted content-type header).
Step 3: Exploit Trigger: Locate the file upload functionality within EmpireCMS, likely related to image uploads, document uploads, or other file-handling features.
Step 4: File Upload: Upload the crafted malicious file through the identified upload mechanism.
Step 5: File Placement: The upload bypasses the validation and the file is uploaded to a publicly accessible directory.
Step 6: Remote Code Execution: Access the uploaded malicious file via a web browser, triggering the execution of the malicious code and granting the attacker control over the server.
The vulnerability stems from a flawed implementation of file type validation in the CheckSaveTranFiletype function. The function likely fails to adequately sanitize or validate the file extension or content type of uploaded files. This allows an attacker to bypass the intended security checks and upload files with malicious content, such as web shells or executable scripts. The lack of vendor response further exacerbates the risk, as no official patches or mitigations are available.