CVE-2013-0803
published 2020-02-11CVE-2013-0803: A PHP File Upload Vulnerability exists in PolarBear CMS 2.5 via upload.php, which could let a malicious user execute arbitrary code.
PriorityP274critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
74.98%
99.4th percentile
A PHP File Upload Vulnerability exists in PolarBear CMS 2.5 via upload.php, which could let a malicious user execute arbitrary code.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| polarbear_cms_project | polarbear_cms | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated HTTP POST requests to the path `/includes/jquery.uploadify/upload.php` with a multipart/form-data body containing a `.php` filename in the `Filedata` field — this is the exact upload vector used by the exploit. ↗
- →Alert on HTTP GET requests to a newly created `.php` file under the configured `UPLOADDIR` (default `/polarbearcms/`) immediately following a POST to `upload.php` — this is the two-stage upload-then-execute pattern used by the exploit. ↗
- →The exploit checks for a 200 response from a GET to `upload.php` as a pre-exploitation fingerprint step; a 200 on that path with no parameters is a strong indicator of a vulnerable PolarBear CMS installation being probed. ↗
- →The `folder` parameter in the POST query string to `upload.php` specifies the web-accessible upload destination; monitor for `.php` files appearing in directories specified by this parameter. ↗
- ·The default TARGETURI and UPLOADDIR in the Metasploit module are both `/polarbearcms/`, but these are operator-configurable; detections scoped only to this default path may miss attacks against non-default install paths. ↗
- ·The uploaded PHP payload filename is randomly generated (5 random alpha characters + `.php`), so static filename-based detection will not work; pattern-based detection on `.php` uploads to the uploadify path is required. ↗
- ·The exploit targets both PHP payloads and Linux x86 payloads; detection should not be limited to PHP web shell uploads alone. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
PolarPearCMS - Arbitrary '.PHP' File Upload (Metasploit)
exploitdb·2013-02-26
CVE-2013-0803 PolarPearCMS - Arbitrary '.PHP' File Upload (Metasploit)
PolarPearCMS - Arbitrary '.PHP' File Upload (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'msf/core/exploit/php_exe'
class Metasploit3 'PolarPearCms PHP File Upload Vulnerability',
'Description' => %q{
This module exploits a file upload vulnerability found in PlarPear CMS
By abusing the upload.php file, a malicious user can upload a file to a temp
directory without authentication, which results in arbitrary code execution.
},
'Author' =>
[
'Fady Mohamed Osman' # @Fady_Osman
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2013-
Metasploit
PolarBear CMS PHP File Upload Vulnerability
metasploit
PolarBear CMS PHP File Upload Vulnerability
PolarBear CMS PHP File Upload Vulnerability
This module exploits a file upload vulnerability found in PolarBear CMS By abusing the upload.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution.
No writeups or analysis indexed.
http://www.exploit-db.com/exploits/24549https://exchange.xforce.ibmcloud.com/vulnerabilities/82378https://packetstormsecurity.com/files/cve/CVE-2013-0803http://www.exploit-db.com/exploits/24549https://exchange.xforce.ibmcloud.com/vulnerabilities/82378https://packetstormsecurity.com/files/cve/CVE-2013-0803
2020-02-11
Published