Share
## https://sploitus.com/exploit?id=42525977-25C5-5817-9939-01B43B987179
# Emlog-v2.6.9-Vulnerability-Report

**CVE ID**: REQUESTED  
**Date Submitted**: April 5, 2026  
**Vendor / Product**: Emlog  
**Software Link**: https://www.emlog.net/  
**Affected Version**: Emlog Pro (All historical versions up to the latest v2.6.9)  
**Vulnerability Type**: Path Traversal (CWE-22) / Arbitrary File Write leading to Remote Code Execution (RCE)  

## 1. Vulnerability Description
A Path Traversal vulnerability exists in the Emlog Pro Content Management System (CMS) via the template management module (`/admin/template.php`). The system fails to properly sanitize filenames during the extraction of ZIP format template files. 

An authenticated administrative attacker can exploit this flaw by constructing a malicious ZIP archive containing directory traversal sequences (e.g., `../`). When the administrator uploads and extracts this template via the backend interface, the system writes the malicious payload outside the intended template directory. This allows the attacker to overwrite the default (or arbitrary) template files, such as `header.php` or `footer.php`, ultimately resulting in full-site Remote Code Execution (RCE).

## 2. Impact
**Severity**: CRITICAL  

- **Full Server Control**: Attackers can execute arbitrary PHP code, gaining Web Server shell privileges.
- **Widespread Visitor Exploitation**: By directly modifying the default template files, malicious code is triggered whenever any site visitor accesses the default page.
- **Persistence & Stealth**: The malicious script is hidden within the default template structure, making it difficult to detect. Even if the malicious template is deleted, the overwritten files or hidden backdoors may remain.
- **Supply Chain Impact**: Modifying default template entry points affects the normal functional logic of the application.

*Note: According to FOFA search engine statistics, there are currently over 6,400 deployments of the Emlog system exposed to the internet. Installations lacking IP restrictions for the backend access are highly vulnerable.*
![FOFA deployment statistics screenshot](assert/Pasted%20image%2020260405154320.png)

## 3. Root Cause Analysis
The vulnerability stems from the `emUnZip()` function in `/admin/template.php` (lines 69-105) and its handling of the extraction process in `/include/lib/common.php` (lines 768-808).
![emUnZip function analysis](assert/Pasted%20image%2020260405154326.png)
![extractTo path handling analysis](assert/Pasted%20image%2020260405154330.png)
Specifically, in `/include/lib/common.php` around line 780, the `switch (case 'tpl')` block only verifies whether a `header.php` file exists within the archive. At line 802, the `extractTo()` function directly extracts the files without performing any validation, filtering, or sanitization on the file names (e.g., checking for path traversal strings or restricting file extensions). The malicious files are then extracted to `/content/templates/[template_name]/` and any traversed paths respectively, becoming directly accessible via the web.
![ZIP extraction validation issue](assert/Pasted%20image%2020260405154336.png)
![Directory traversal impact](assert/Pasted%20image%2020260405154339.png)

## 4. Proof of Concept (PoC)

**Test Environment:**
- **Emlog Version**: Emlog Pro v2.6.9 (Official Release, MD5: B178E2174A74989B2C83D8D3F3EC92E9)
- **Environment**: phpstudy_pro v8.1 (PHP 7.3.4 + Apache 2.4.39) on Windows 11 x64

### Step 1: Craft the Malicious ZIP Payload
Use the following Python script to generate a malicious ZIP archive (`evil_tpl_poc.zip`) containing a directory traversal payload:

```python
import zipfile

# Targeted output for the malicious ZIP archive
zip_filename = 'evil_tpl_poc.zip'

print(f"[*] Preparing to generate malicious ZIP with directory traversal payload...")

with zipfile.ZipFile(zip_filename, 'w') as z:
    # 1. Construct a standard template directory structure to bypass emUnZip validation
    # For 'tpl' type, it must contain a valid directory with a header.php
    z.writestr('default111/', '')
    z.writestr('default111/header.php', '')
    
    # 2. Add a directory traversal record, pointing to the parent directory's default header.php
    z.writestr('../default/header.php', b'')

print(f"\n[+] Success! Malicious archive saved as: {zip_filename}")
print("[!] You can now upload this archive via the Emlog backend 'Install Template' feature.")
```

### Step 2: Exploit via Backend Template Upload
1. Log into the Emlog backend as an administrator.
2. Navigate to `Console` -> `Appearance` -> `Template` -> `Install Template`.
3. Choose "Upload and Install" and upload the crafted `evil_tpl_poc.zip`.
4. The system will prompt "Installation Successful" and extract the contents.
5. Due to the directory traversal payload (`../default/header.php`), the original default template file is overwritten.
![Template upload and install result](assert/Pasted%20image%2020260405154508.png)

### Step 3: Trigger Execution
Visit the targeted frontend page (`http(s)://target/`). The modified `header.php` executes the malicious PHP payload (e.g., `phpinfo()` or a webshell). 
![Triggered execution in browser](assert/Pasted%20image%2020260405154526.png)

## 5. Remediation Measures
- **Path Sanitization**: Implement strict path validation. Ensure that the target extraction path is within the designated `/content/templates/` directory by resolving the absolute path (`realpath()`) and comparing the prefix.
- **Traversal Prevention**: Explicitly deny and strip directory traversal sequences (`../`, `..\\`) from file names inside the ZIP archive.
- **Content Validation**: Iterate through the compressed files to inspect both filenames and file contents, whitelisting expected file extensions and rejecting any anomalies before extraction.

## 6. Disclosure Status
This vulnerability was discovered and verified independently on the official, default installation of Emlog Pro v2.6.9. It has been submitted to MITRE/CNA for CVE assignment on April 5, 2026, and simultaneously reported to CNVD.

## 7. References
- See CVE_Report.docx for details