Share
## https://sploitus.com/exploit?id=3A96887E-EF0C-5185-99BA-F3E22F039CA4
make it a readme.md to paste into it

# CVE-2025-69906: Monstra CMS 3.0.4 Arbitrary File Upload to RCE

**Author**: David PS Abraham  
**Date**: February 5, 2026  
**Severity**: Critical - Remote Code Execution (CVSS 8.8+)  
**CWE**: 434 (Unrestricted Upload of File with Dangerous Type)

## Vulnerability Description

Monstra CMS v3.0.4 Files Manager plugin (`plugins/box/filesmanager/filesmanager.admin.php`) implements **blacklist-based file extension validation** that stores uploaded files directly in the web-accessible `/public/files/` directory, enabling remote code execution under standard Apache/PHP configurations.

## Vulnerable Code Analysis

**Core Flaw** (`filesmanager.admin.php` ~lines 150-220):

```php
// WEAK BLACKLIST VALIDATION
$blacklist = array('.php', '.php3', '.php4', '.php5', '.phtml', '.pl', '.py', '.jsp', '.asp', '.sh', '.cgi');

$bypass = true;
foreach ($blacklist as $bad) {
    if (strpos(strtolower($filename), $bad) !== false) {
        $bypass = false;
        break;
    }
}

if ($bypass) {
    // DIRECT WEB-ROOT WRITE - No sanitization
    $upload_path = BASE_PATH . DS . 'public' . DS . 'files' . DS;
    move_uploaded_file($file['tmp_name'], $upload_path . $filename);
    // http://target/public/files/shell.PHP executes!
}
```

## Bypass Techniques

| Flaw | Bypass Example | Result |
|------|----------------|--------|
| Case Sensitivity | `shell.PHP`, `shell.pHp` | โœ… Executes |
| Double Extension | `shell.php.jpg` | โœ… Executes |
| Null-byte | `shell.php%00.jpg` | โœ… Executes |
| Non-standard PHP | `shell.php7`, `shell.phtml` | โœ… Executes |

## Technical Impact

| Impact | Description |
|--------|-------------|
| **RCE** | Arbitrary PHP execution via uploaded webshell |
| **Privilege Escalation** | Admin-authenticated โ†’ server compromise |
| **Info Disclosure** | File read via `` |
| **Attack Vector** | Remote, authenticated (Files Manager interface) |

## Affected Versions
```
Monstra CMS <= 3.0.4
Path: plugins/box/filesmanager/filesmanager.admin.php
Repo: https://github.com/monstra-cms/monstra/tree/dev/plugins/box/filesmanager
```

## Timeline
```
2026-02-05: CVE-2025-69906 assigned by MITRE
2026-02-05: Public disclosure
```

## References
- [CVE-2025-69906](https://vulners.com/cve/CVE-2025-69906)
- [Monstra CMS GitHub](https://github.com/monstra-cms/monstra)
- [Files Manager Source](https://github.com/monstra-cms/monstra/blob/dev/plugins/box/filesmanager/filesmanager.admin.php)
- Related: CVE-2018-9037 (ZIP upload RCE)

## Recommendation
```
1. Disable Files Manager plugin
2. Whitelist ALLOWED extensions only (image/png, image/jpeg)
3. Rename uploads: uniqid() + .jpg
4. Store outside web root
5. Migrate to maintained CMS
```

## Credits
**Discovered by**: David PS Abraham (Cybersecurity Researcher)

***

*Responsible disclosure following CVE assignment. No live exploitation performed.*  
*Project unmaintained since 2018 per repository notice.*  
[1]

**Copy this entire content โ†’ Paste into your repo's README.md โ†’ Commit & Push โ†’ Share on social channels.**

Citations:
[1] 1000279995.jpg https://ppl-ai-file-upload.s3.amazonaws.com/web/direct-files/attachments/images/62532667/8d8c801d-6e5c-4292-b88f-4530423fb53a/1000279995.jpg