# CVE-2023-5311 > Missing Authorization to .htaccess File lead to RCE ## Description The minimum permission that a subscriber should have typically doesn't include the ability to upload or overwrite files like .htaccess. However, if there is a vulnerability or misconfiguration that allows a subscriber to perform such actions, it could potentially lead to a successful Remote Code Execution (RCE) attack on the server. ## Analysis * In the **`register`** function, using any of the three different methods, we can completely upload the .htaccess file by utilizing one of the parameters: htaccess\_root, htaccess\_includes, and htaccess\_content. ```php if (!empty($_POST['save_root'])) { if (isset($_POST['wp_extra']['htaccess_root'])) { $htaccess_root = trim(stripslashes($_POST['wp_extra']['htaccess_root'])); if ($htaccess_root) { @file_put_contents($path_root, $htaccess_root); } ``` ```php if (!empty($_POST['save_content'])) { if (isset($_POST['wp_extra']['htaccess_content'])) { $htaccess_content = trim(stripslashes($_POST['wp_extra']['htaccess_content'])); if ($htaccess_content) { if (!file_exists($path_content)) { @file_put_contents($path_content, $htaccess_content); } } else { unlink($path_content); } } } ``` ```php if (!empty($_POST['save_includes'])) { if (isset($_POST['wp_extra']['htaccess_includes'])) { $htaccess_includes = trim(stripslashes($_POST['wp_extra']['htaccess_includes'])); if ($htaccess_includes) { if (!file_exists($path_includes)) { @file_put_contents($path_includes, $htaccess_includes); } } else { unlink($path_includes); } } } ``` ## POC Despite being blacklisted, it is still possible to configure the .htaccess file to treat this file extension as executable, similar to a regular PHP file, enabling Remote Code Execution (RCE) to be performed.

Thanks for reading, have a nice day :heart: