cbcvebase.
CVE-2012-1153
published 2012-10-06

CVE-2012-1153: Unrestricted file upload vulnerability in addons/uploadify/uploadify.php in appRain CMF 0.1.5 and earlier allows remote attackers to execute arbitrary code by…

PriorityP262medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
32.41%
98.1th percentile
Unrestricted file upload vulnerability in addons/uploadify/uploadify.php in appRain CMF 0.1.5 and earlier allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in the uploads directory.

Affected

6 ranges
VendorProductVersion rangeFixed in
apprainapprain<= 0.1.5
apprainapprain
apprainapprain
apprainapprain
apprainapprain
apprainapprain

Detection & IOCsextracted from sources · hover to see the quote

pathaddons/uploadify/uploadify.php
pathaddons/uploadify/uploads/
urladdons/uploadify/uploadify.php
urladdons/uploadify/uploads/#{payload_name}
  • Monitor HTTP POST requests to addons/uploadify/uploadify.php — unauthenticated file uploads to this endpoint are the attack vector; any 200 response with a PHP filename in the body indicates successful upload.
  • Alert on HTTP GET requests to addons/uploadify/uploads/ for files with executable extensions (.php, .exe, .jsp) — this is the direct-request execution step following upload.
  • Detect multipart POST bodies containing the boundary string 'o0oOo0o' targeting uploadify.php — this is the specific boundary used in both the public PoC and Metasploit module.
  • Scan upload directories for unexpected .php, .exe, or .jsp files as an indicator of successful exploitation.
  • Use grep or SIEM to detect PHP files appearing in the web-accessible uploads path: grep -i "php" /var/www/uploads/
  • Check for a 200 OK response with an empty body on a GET to addons/uploadify/uploadify.php — the Metasploit module uses this as a detection check for a vulnerable installation.
  • ·The vulnerability exists only in appRain CMF version 0.1.5 and earlier; the fix suggested by the vendor was to add check_admin_login() at the beginning of uploadify.php to require authentication before file upload.
  • ·The Metasploit module defaults TARGETURI to /appRain-q-0.1.5; installations at non-default paths will require adjusting this parameter for exploitation or detection tuning.
  • ·No official patch is available for affected versions; the recommended mitigation is to disable file upload functionality or transition to a more secure platform.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.