CVE-2020-5256: 
PHP vulnerability analysis and mitigation

BookStack before version 0.25.5 contained a vulnerability (CVE-2020-5256) where users could upload PHP files through image upload functions, potentially allowing remote code execution. The vulnerability was discovered in early 2020 and was patched through a series of updates (v0.25.3, v0.25.4, and v0.25.5) released in March 2020 (GitHub Advisory, NVD).

The vulnerability allowed users to upload PHP files with various extensions (including non-.php extensions like .phtml or .php3) through the image upload functionality. These files could then be executed remotely on the server with the permissions of the PHP process. The issue was particularly concerning in environments where untrusted users had permissions to upload images (GitHub v0.25.3, GitHub v0.25.4).

Successful exploitation of this vulnerability could allow attackers to execute arbitrary code on the host system with PHP process privileges. This could potentially lead to access to sensitive files on the server, including the BookStack .env file, which might contain critical configuration data and credentials (GitHub v0.25.3).

The issue was addressed through multiple security patches. Version 0.25.3 added initial protections, v0.25.4 implemented a whitelist for file extensions, and v0.25.5 added prevention of multiple-extension files and implemented random file naming for attachments. Alternative workarounds included using the local_secure image storage option, utilizing S3 or similar services, or preventing direct execution of PHP files through web-server configuration (GitHub v0.25.5, GitHub Advisory).