CVE-2018-17826

Name of the Vulnerable Software and Affected Versions HisiPHP version 1.0.8

Description The issue allows for a CSRF attack via the "admin.php/admin/user/adduser.html" API endpoint to add an administrator account. An attacker can then use this account to execute arbitrary PHP code by modifying the allowable file-upload types in "app/common/model/AdminAnnex.php" to include .php, in addition to the default types (.jpg, .png, .gif, .jpeg, and .ico).

Recommendations For HisiPHP version 1.0.8, consider disabling the "admin.php/admin/user/adduser.html" endpoint until a patch is available to prevent CSRF attacks, and restrict modifications to the file-upload types in "app/common/model/AdminAnnex.php" to prevent arbitrary PHP code execution.