cbcvebase.
CVE-2013-0803
published 2020-02-11

CVE-2013-0803: A PHP File Upload Vulnerability exists in PolarBear CMS 2.5 via upload.php, which could let a malicious user execute arbitrary code.

PriorityP274critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
74.98%
99.4th percentile
A PHP File Upload Vulnerability exists in PolarBear CMS 2.5 via upload.php, which could let a malicious user execute arbitrary code.

Affected

1 ranges
VendorProductVersion rangeFixed in
polarbear_cms_projectpolarbear_cms

Detection & IOCsextracted from sources · hover to see the quote

path/polarbearcms/includes/jquery.uploadify/upload.php
path/polarbearcms/includes/jquery.uploadify/upload.php
filenameupload.php
  • Monitor for unauthenticated HTTP POST requests to the path `/includes/jquery.uploadify/upload.php` with a multipart/form-data body containing a `.php` filename in the `Filedata` field — this is the exact upload vector used by the exploit.
  • Alert on HTTP GET requests to a newly created `.php` file under the configured `UPLOADDIR` (default `/polarbearcms/`) immediately following a POST to `upload.php` — this is the two-stage upload-then-execute pattern used by the exploit.
  • The exploit checks for a 200 response from a GET to `upload.php` as a pre-exploitation fingerprint step; a 200 on that path with no parameters is a strong indicator of a vulnerable PolarBear CMS installation being probed.
  • The `folder` parameter in the POST query string to `upload.php` specifies the web-accessible upload destination; monitor for `.php` files appearing in directories specified by this parameter.
  • ·The default TARGETURI and UPLOADDIR in the Metasploit module are both `/polarbearcms/`, but these are operator-configurable; detections scoped only to this default path may miss attacks against non-default install paths.
  • ·The uploaded PHP payload filename is randomly generated (5 random alpha characters + `.php`), so static filename-based detection will not work; pattern-based detection on `.php` uploads to the uploadify path is required.
  • ·The exploit targets both PHP payloads and Linux x86 payloads; detection should not be limited to PHP web shell uploads alone.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.