CVE-2012-1153
published 2012-10-06CVE-2012-1153: Unrestricted file upload vulnerability in addons/uploadify/uploadify.php in appRain CMF 0.1.5 and earlier allows remote attackers to execute arbitrary code by…
PriorityP262medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
32.41%
98.1th percentile
Unrestricted file upload vulnerability in addons/uploadify/uploadify.php in appRain CMF 0.1.5 and earlier allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in the uploads directory.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apprain | apprain | <= 0.1.5 | — |
| apprain | apprain | — | — |
| apprain | apprain | — | — |
| apprain | apprain | — | — |
| apprain | apprain | — | — |
| apprain | apprain | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP POST requests to addons/uploadify/uploadify.php — unauthenticated file uploads to this endpoint are the attack vector; any 200 response with a PHP filename in the body indicates successful upload. ↗
- →Alert on HTTP GET requests to addons/uploadify/uploads/ for files with executable extensions (.php, .exe, .jsp) — this is the direct-request execution step following upload. ↗
- →Detect multipart POST bodies containing the boundary string 'o0oOo0o' targeting uploadify.php — this is the specific boundary used in both the public PoC and Metasploit module. ↗
- →Scan upload directories for unexpected .php, .exe, or .jsp files as an indicator of successful exploitation. ↗
- →Use grep or SIEM to detect PHP files appearing in the web-accessible uploads path: grep -i "php" /var/www/uploads/ ↗
- →Check for a 200 OK response with an empty body on a GET to addons/uploadify/uploadify.php — the Metasploit module uses this as a detection check for a vulnerable installation. ↗
- ·The vulnerability exists only in appRain CMF version 0.1.5 and earlier; the fix suggested by the vendor was to add check_admin_login() at the beginning of uploadify.php to require authentication before file upload. ↗
- ·The Metasploit module defaults TARGETURI to /appRain-q-0.1.5; installations at non-default paths will require adjusting this parameter for exploitation or detection tuning. ↗
- ·No official patch is available for affected versions; the recommended mitigation is to disable file upload functionality or transition to a more secure platform. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
appRain CMF - Arbitrary '.PHP' File Upload (Metasploit)
exploitdb·2012-05-25
CVE-2012-1153 appRain CMF - Arbitrary '.PHP' File Upload (Metasploit)
appRain CMF - Arbitrary '.PHP' File Upload (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 "appRain CMF Arbitrary PHP File Upload Vulnerability",
'Description' => %q{
This module exploits a vulnerability found in appRain's Content Management
Framework (CMF), version 0.1.5 or less. By abusing the uploadify.php file, a
malicious user can upload a file to the uploads/ directory without any
authentication, which results in arbitrary code execution.
},
'License' => MSF_LICENSE,
'Author' =>
[
'EgiX', #Discovery, PoC
'sinn3r' #Metasplo
Exploit-DB
appRain CMF 0.1.5 - 'Uploadify.php' Unrestricted Arbitrary File Upload
exploitdb·2012-01-19
CVE-2012-1153 appRain CMF 0.1.5 - 'Uploadify.php' Unrestricted Arbitrary File Upload
appRain CMF 0.1.5 - 'Uploadify.php' Unrestricted Arbitrary File Upload
---
check_admin_login();
add this lines of code at the beginning of the script
[-] Disclosure timeline:
[19/12/2011] - Vulnerability discovered
[19/12/2011] - Issue reported to http://www.apprain.com/ticket/1135
[20/12/2011] - Vendor response and fix suggested
[16/01/2012] - After four weeks still no fix released
[19/01/2012] - Public disclosure
*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host, $packet)
{
if (!($sock = fsockopen($host, 80)))
die("\n[-] No response from {$host}:80\n");
fputs($sock, $packet);
return stream_get_contents($sock);
}
print "\n+---------------------------------------------------------------+";
print "\n| appRain CMF \n";
print "\
Metasploit
appRain CMF Arbitrary PHP File Upload Vulnerability
metasploit
appRain CMF Arbitrary PHP File Upload Vulnerability
appRain CMF Arbitrary PHP File Upload Vulnerability
This module exploits a vulnerability found in appRain's Content Management Framework (CMF), version 0.1.5 or less. By abusing the uploadify.php file, a malicious user can upload a file to the uploads/ directory without any authentication, which results in arbitrary code execution.
http://archives.neohapsis.com/archives/bugtraq/2012-01/0128.htmlhttp://www.exploit-db.com/exploits/18392http://www.exploit-db.com/exploits/18922http://www.openwall.com/lists/oss-security/2012/03/09/5http://www.openwall.com/lists/oss-security/2012/03/10/5http://www.osvdb.org/78473http://www.securityfocus.com/bid/51576https://exchange.xforce.ibmcloud.com/vulnerabilities/72466http://archives.neohapsis.com/archives/bugtraq/2012-01/0128.htmlhttp://www.exploit-db.com/exploits/18392http://www.exploit-db.com/exploits/18922http://www.openwall.com/lists/oss-security/2012/03/09/5http://www.openwall.com/lists/oss-security/2012/03/10/5http://www.osvdb.org/78473http://www.securityfocus.com/bid/51576https://exchange.xforce.ibmcloud.com/vulnerabilities/72466
2012-10-06
Published