PhreeBooks ERP 5.2.3 Arbitrary File Upload Vulnerability

PhreeBooks ERP version 5.2.3 contains a critical arbitrary file upload vulnerability within its Image Manager component. This vulnerability allows authenticated attackers to bypass security restrictions and upload malicious files to the server. By crafting specific requests to the image upload endpoint, threat actors can inject PHP files. The successful exploitation of this vulnerability allows for arbitrary code execution on the underlying system, potentially leading to full system compromise. This issue was reported and assigned CVE-2019-25630. Successful exploitation requires authentication, limiting the scope of easily exploitable targets. However, the impact of successful exploitation is severe, allowing for complete control of the affected PhreeBooks ERP instance.

Attack Chain

1. The attacker authenticates to the PhreeBooks ERP 5.2.3 application.
2. The attacker navigates to the Image Manager component.
3. The attacker crafts a malicious HTTP POST request to the bizuno/image/manager endpoint.
4. The request includes the imgFile parameter containing a PHP file disguised as an image (e.g., using a double extension like evil.php.jpg).
5. The server saves the uploaded file to a publicly accessible directory.
6. The attacker then accesses the uploaded PHP file via a direct HTTP request to /bizunoFS.php.
7. The bizunoFS.php script executes the malicious PHP code.
8. The attacker gains remote code execution on the server, enabling further malicious activities like data exfiltration or system compromise.

Impact

Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the PhreeBooks ERP server. This can lead to complete compromise of the server, including data exfiltration, modification of financial records, and denial of service. While the number of affected installations is unknown, the potential impact on compromised systems is significant due to the sensitive data typically managed by ERP systems. Organizations using PhreeBooks ERP 5.2.3 are vulnerable to complete data loss, financial fraud, and reputational damage.

Recommendation

• Apply available patches or upgrade to a secure version of PhreeBooks ERP to remediate CVE-2019-25630.
• Implement the Sigma rule Phreebooks Image Upload to detect suspicious requests to the bizuno/image/manager endpoint.
• Monitor web server logs for access to PHP files within the image upload directories, as this can be a sign of successful exploitation via bizunoFS.php.
• Implement input validation on the server side to prevent uploading files with dangerous extensions like .php.