CVE-2005-2733
published 2005-08-30CVE-2005-2733: upload_img_cgi.php in Simple PHP Blog (SPHPBlog) does not properly restrict file extensions of uploaded files, which could allow remote attackers to execute…
PriorityP353high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
50.89%
98.8th percentile
upload_img_cgi.php in Simple PHP Blog (SPHPBlog) does not properly restrict file extensions of uploaded files, which could allow remote attackers to execute arbitrary code.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| alexander_palmo | simple_php_blog | <= 0.5.0.1 | — |
| alexander_palmo | simple_php_blog | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated GET requests to /config/password.txt — this is the first stage of the exploit chain, retrieving the password hash without authentication. ↗
- →Detect multipart/form-data POST to /upload_img_cgi.php with non-image file extensions (e.g., .php) in the filename field — this is the unrestricted file upload vector. ↗
- →Detect GET requests to /comment_delete_cgi.php with a 'comment' parameter containing path traversal sequences (e.g., '../' or './config/') — used to delete arbitrary files including password.txt. ↗
- →Detect POST to /install03_cgi.php after a DELETE of /config/password.txt — attacker is resetting credentials as part of the exploit chain. ↗
- →Detect access to /images/*.php — uploaded PHP webshells (cmd.php or randomly named .php files) placed in the images directory are executed here. ↗
- →Correlate the full exploit chain in sequence: GET /config/password.txt → DELETE via comment_delete_cgi.php → POST /install03_cgi.php → POST /login_cgi.php → POST /upload_img_cgi.php (PHP file) → GET /images/<shell>.php ↗
- ·The Metasploit module targets Simple PHP Blog <= 0.4.0 only; versions above 0.4.0 (up to but not including 0.5.1) may be vulnerable to a related but distinct incomplete blacklist bypass (CVE-2007-5071), not CVE-2005-2733. ↗
- ·The default URI path used by the Metasploit module is /sphpblog — detections should account for installations at non-default paths. ↗
- ·The uploaded PHP shell filenames in the Metasploit module are randomly generated (20 random alphanumeric chars + .php), so static filename-based detection will miss automated exploitation; focus on path pattern /images/*.php instead. ↗
- ·The original PoC exploit script (exploit-db 1191) uses a hardcoded filename 'cmd.php', whereas the Metasploit module uses random names — detection rules should cover both patterns. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-f8gh-gjjw-cw86: upload_img_cgi
ghsa_unreviewed·2022-05-01
CVE-2005-2733 [HIGH] GHSA-f8gh-gjjw-cw86: upload_img_cgi
upload_img_cgi.php in Simple PHP Blog (SPHPBlog) does not properly restrict file extensions of uploaded files, which could allow remote attackers to execute arbitrary code.
GHSA
GHSA-f84q-7gqj-p267: Incomplete blacklist vulnerability in upload_img_cgi
ghsa_unreviewed·2022-05-01·CVSS 7.5
CVE-2007-5071 [HIGH] GHSA-f84q-7gqj-p267: Incomplete blacklist vulnerability in upload_img_cgi
Incomplete blacklist vulnerability in upload_img_cgi.php in Simple PHP Blog before 0.5.1 allows remote attackers to upload dangerous files and execute arbitrary code, as demonstrated by a filename ending in .php. or a .htaccess file, a different vector than CVE-2005-2733. NOTE: the vulnerability was also present in a 0.5.1 download available in the early morning of 20070923. NOTE: the original 20070920 disclosure provided an incorrect filename, img_upload_cgi.php.
No detection rules found.
Exploit-DB
Simple PHP Blog 0.4.0 - Remote Command Execution (Metasploit)
exploitdb·2010-07-25
CVE-2005-2733 Simple PHP Blog 0.4.0 - Remote Command Execution (Metasploit)
Simple PHP Blog 0.4.0 - Remote Command Execution (Metasploit)
---
##
# $Id: sphpblog_file_upload.rb 9929 2010-07-25 21:37:54Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Simple PHP Blog %q{
This module combines three separate issues within The Simple PHP Blog ( [ 'Matteo Cantoni ', 'patrick' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9929 $',
'References' =>
[
['CVE', '2005-2733'],
['OSVDB', '19012'],
['BID', '14667'],
['URL', 'http://www.milw0rm.com/exploits/1191'],
],
'Privileged' => false,
'Payload' =>
{
'DisableNo
Exploit-DB
Simple PHP Blog 0.4.0 - Multiple Remote s
exploitdb·2005-09-01
CVE-2005-2787 Simple PHP Blog 0.4.0 - Multiple Remote s
Simple PHP Blog 0.4.0 - Multiple Remote s
---
#!/usr/bin/perl -w
#===============================================================================
# Title: sphpblog_vulns.pl
#
# Written by: Kenneth F. Belva, CISSP
# Franklin Technologies Unlimited, Inc.
# http://www.ftusecurity.com
#
# Date: August 25, 2005
#
# Version: 0.1
#
# Description: This program is for educational purposes only!
# SimplePHPBlog as a few vulnerability which this
# perl script demonstrates via an exploit.
#
# Instructions: Should be self-explanatory via the .pl help menu
#
# Solutions:
# *** Solution 1
# Change the line in comment_delete_cgi.php from
# $logged_in = logged_in( false, true ); to
# $logged_in = logged_in( true, true );
#
# *** Solution 2
# Place an .htaccess file with the following config in
# the ./co
Metasploit
Simple PHP Blog Remote Command Execution
metasploit
Simple PHP Blog Remote Command Execution
Simple PHP Blog Remote Command Execution
This module combines three separate issues within The Simple PHP Blog (<= 0.4.0) application to upload arbitrary data and thus execute a shell. The first vulnerability exposes the hash file (password.txt) to unauthenticated users. The second vulnerability lies within the image upload system provided to logged-in users; there is no image validation function in the blogger to prevent an authenticated user from uploading any file type. The third vulnerability occurs within the blog comment functionality, allowing arbitrary files to be deleted.
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=112511159821143&w=2http://secunia.com/advisories/16598/http://www.securityfocus.com/bid/14667https://exchange.xforce.ibmcloud.com/vulnerabilities/22012http://marc.info/?l=bugtraq&m=112511159821143&w=2http://secunia.com/advisories/16598/http://www.securityfocus.com/bid/14667https://exchange.xforce.ibmcloud.com/vulnerabilities/22012
2005-08-30
Published