CVE-2024-28105

CVE-2024-28105 is a high-severity unrestricted upload of dangerous file types vulnerability in phpmyfaq/phpmyfaq (composer), affecting versions = 3.2.5. It is fixed in 3.2.6.

Summary

The category image upload function in phpmyfaq is vulnerable to manipulation of the Content-type and lang parameters, allowing attackers to upload malicious files with a .php extension, potentially leading to remote code execution (RCE) on the system.

Details

In the file upload function of the category image, the Content-type can be manipulated to return an empty string for the extension and the lang parameter can be set to .php. to allow an attacker to save a file as .PHP. This allows the uploading of web shells which could lead to RCE on phpmyfaq.

PoC

  1. Generate a fake .GIF file that contains a php command using the tool gifsicle
    a. Cmd: gifsicle < test1.gif --comment "<?php system('whoami'); ?>" > output.php.gif

    b. The contents of the file should look like this:

  2. Browse to “../phpmyfaq/admin/?action=addcategory” and upload the fake .GIF file

  3. Intercept the upload request and modify the params below and forward it:
    3a. lang parameter to .php.
    3b. Content-Type parameter from image/gif to image/gif2

  4. Browse to the “/phpmyfaq/images” directory and notice that our fake .GIF file has been uploaded as a PHP file with the category number as its filename.

  5. Now we just need to browse to “../phpmyfaq/images/category--.php” and see the results of our whoami command. Hence, verifying that RCE is achieved.

Occurrences

In CategoryImage.php line 124, the getimagesize and isValidMimeType functions can be bypassed by uploading a fake .GIF file generated by gifsicle.

In CategoryImage.php line 85, the getFileExtension function returns an empty string when the content type doesnt match any of the following 3 mappings. Hence, its possible to just supply an invalid content type such as image/gif2 in step 3 of the PoC to make the function return an empty string.

In CategoryImage.php line 66, the getFileName function generate the filename by concatenating the categoryId, categoryName and fileExtension together. This allows us to save the file with a .PHP extension. (It should be possible to just set the payload in step 3 above to just .php but it doesnt work and im not sure why..)

Impact

Attackers can upload malicious files containing executable code, allowing them to take control of the vulnerable system. This enables them to execute arbitrary commands, steal sensitive data, disrupt services, and potentially escalate their privileges, posing significant risks to the security and integrity of the system and its data.

The application accepts file uploads without adequately restricting the file type or content. Typical impact: remote code execution if the uploaded file can be served and executed on the server.

CVE-2024-28105 has a CVSS score of 7.2 (High). The vector is network-reachable, high privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (3.2.6); upgrading removes the vulnerable code path.

Affected versions

phpmyfaq/phpmyfaq (= 3.2.5)

Security releases

phpmyfaq/phpmyfaq → 3.2.6 (composer)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

I believe one of the ways to solve this vulnerability is by forcing the getFileExtension function to return one of the 3 mimetype instead of an empty string. This ensures that the uploaded file will have an image extension and will not execute as a PHP file.

Frequently Asked Questions

  1. What is CVE-2024-28105? CVE-2024-28105 is a high-severity unrestricted upload of dangerous file types vulnerability in phpmyfaq/phpmyfaq (composer), affecting versions = 3.2.5. It is fixed in 3.2.6. The application accepts file uploads without adequately restricting the file type or content.
  2. How severe is CVE-2024-28105? CVE-2024-28105 has a CVSS score of 7.2 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of phpmyfaq/phpmyfaq are affected by CVE-2024-28105? phpmyfaq/phpmyfaq (composer) versions = 3.2.5 is affected.
  4. Is there a fix for CVE-2024-28105? Yes. CVE-2024-28105 is fixed in 3.2.6. Upgrade to this version or later.
  5. Is CVE-2024-28105 exploitable, and should I be worried? Whether CVE-2024-28105 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2024-28105 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2024-28105? Upgrade phpmyfaq/phpmyfaq to 3.2.6 or later.

Other vulnerabilities in phpmyfaq/phpmyfaq

CVE-2026-49205CVE-2026-48488CVE-2026-35675CVE-2026-35672CVE-2026-35671

Stop the waste.
Protect your environment with Kodem.