A critical remote code execution vulnerability has been identified in multiple TinyWebGallery products. The flaw allows an unauthenticated attacker to upload a malicious file and execute arbitrary code, leading to a complete compromise of the affected server. This could result in data theft, service disruption, and the server being used for further malicious activities.

The vulnerability exists within the admin upload functionality of the affected software. The upload mechanism fails to properly validate file types, allowing an unauthenticated attacker to upload executable files, such as a PHP Archive (.phar). By crafting a .phar file containing malicious PHP code and uploading it to the server, an attacker can then trigger its execution by simply navigating to the file's URL. This provides the attacker with remote code execution capabilities, effectively giving them full control over the web server under the privileges of the web service account.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation could lead to a complete compromise of the server's confidentiality, integrity, and availability. Potential consequences include theft of sensitive business or customer data, website defacement, deployment of ransomware, or the use of the compromised server to attack other systems on the internal network. The unauthenticated nature of the vulnerability means that any publicly accessible instance is at extreme risk, posing a significant threat to business operations and reputation.

Immediate Action:

• Immediately update all instances of TinyWebGallery to the latest patched version as recommended by the vendor.
• Consult the official vendor security advisory for specific patch information and version details.
• Review web server access and error logs for any signs of exploitation, such as suspicious file uploads or requests to .phar or .php files in upload directories.

Proactive Monitoring:

• Monitor web server logs for POST requests to upload functionalities that result in files with extensions like .phar, .php, .phtml, or other script types being written to disk.
• Implement file integrity monitoring on the web application's directories to detect the creation of unauthorized files.
• Monitor for unusual outbound network traffic from the web server, which could indicate a successful compromise and communication with a command-and-control server.

Compensating Controls:

• If immediate patching is not feasible, restrict access to the administrative and file upload functionalities using a Web Application Firewall (WAF) or by limiting access to trusted IP addresses.
• Disable the file upload feature entirely if it is not essential for business operations.
• Configure the web server to prevent the execution of scripts (e.g., PHP) within the designated upload directories.

Public Exploit Available: true

Given the critical nature and unauthenticated attack vector of this vulnerability, we strongly recommend that organizations take immediate action. The highest priority is to apply the vendor-supplied patches to all affected systems without delay. Due to the high likelihood of exploitation, organizations should also proactively hunt for indicators of compromise on any potentially affected servers, even after patching is complete. This vulnerability represents a direct and severe threat and must be remediated as a top priority.