CVE-2020-12255

Name of the Vulnerable Software and Affected Versions rConfig version 3.9.4

Description The issue is related to remote code execution due to improper validation in the file upload functionality. Specifically, vendor.crud.php accepts file uploads by checking the content-type without considering the file extension and header. This allows an attacker to exploit the vulnerability by uploading a .php file to vendor.php that contains arbitrary PHP code and changing the content-type to image/gif.

Recommendations For rConfig version 3.9.4, consider disabling the file upload functionality in vendor.crud.php until a patch is available to prevent exploitation. Restrict access to vendor.php to minimize the risk of uploading malicious files. Avoid using the file upload feature with arbitrary content-type headers until the issue is resolved.