cbcvebase.
CVE-2009-3068
published 2009-09-04

CVE-2009-3068: Unrestricted file upload vulnerability in the RoboHelpServer Servlet (robohelp/server) in Adobe RoboHelp Server 8 allows remote attackers to execute arbitrary…

PriorityP180critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
78.18%
99.5th percentile
Unrestricted file upload vulnerability in the RoboHelpServer Servlet (robohelp/server) in Adobe RoboHelp Server 8 allows remote attackers to execute arbitrary code by uploading a Java Archive (.jsp) file during a PUBLISH action, then accessing it via a direct request to the file in the robohelp/robo/reserved/web directory under its sessionid subdirectory, as demonstrated by the vd_adobe module in VulnDisco Pack Professional 8.7 through 8.11.

Affected

1 ranges
VendorProductVersion rangeFixed in
adoberobohelp_server

Detection & IOCsextracted from sources · hover to see the quote

url/robohelp/server?PUBLISH=1
path/robohelp/server
path/robohelp/robo/reserved/web/
url/robohelp/robo/reserved/web/%s/test.jsp
filenametest.jsp
commandPOST /robohelp/server?PUBLISH=<uid> with multipart/form-data boundary and UID header uploading .jsp file
  • Detect POST requests to /robohelp/server with PUBLISH parameter and multipart/form-data content type containing a .jsp file upload — this is the exploitation upload stage.
  • Detect GET requests to /robohelp/robo/reserved/web/<sessionid>/*.jsp — this is the second-stage payload execution request.
  • Look for the custom HTTP header 'UID' in requests to /robohelp/server — this header is used by the exploit to bypass authentication.
  • Inspect multipart/form-data uploads to /robohelp/server for files with Content-Type: application/x-java-archive and .jsp extensions — indicates malicious JSP trojan upload.
  • Server responses containing a 'sessionid' header following a POST to /robohelp/server?PUBLISH= indicate a successful exploitation upload stage.
  • The Metasploit module targets Apache-Coyote servers; correlate Apache-Coyote server fingerprint with RoboHelp-specific URI patterns to prioritize alerting.
  • ·The exploit uses a randomly generated UID value and random 8-character uppercase .jsp filename in the Metasploit module, so filename and UID header values will vary per session — do not rely on static values like '1234' or 'test.jsp' for detection.
  • ·The default target port is 8080, but the vulnerability is in the servlet path itself — detection rules should not be port-restricted as deployments may vary.
  • ·Exploitation requires two sequential HTTP requests: a POST to upload the JSP, followed by a GET to execute it — single-request detection will miss the full attack chain.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.