CVE-2013-3591
published 2020-02-07CVE-2013-3591: vTiger CRM 5.3 and 5.4: 'files' Upload Folder Arbitrary PHP Code Execution Vulnerability
PriorityP272high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
43.10%
98.6th percentile
vTiger CRM 5.3 and 5.4: 'files' Upload Folder Arbitrary PHP Code Execution Vulnerability
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vtiger | vtiger_crm | — | — |
| vtiger | vtiger_crm | — | — |
| vtiger_crm | vtiger_crm | — | — |
| vtiger_crm | vtiger_crm | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect multipart POST requests to /kcfinder/browse.php with parameters type=files and act=upload, which is the upload endpoint abused to plant a PHP webshell. ↗
- →Alert on files with a .php3 extension being uploaded via the KCFinder component; the exploit specifically appends '.php3' to bypass upload filters. ↗
- →Monitor HTTP GET requests to /test/upload/files/*.php3 (or any PHP-executable extension) immediately after a POST to the KCFinder upload endpoint, indicating payload trigger. ↗
- →Inspect POST bodies to /index.php for the vTiger authentication action (module=Users&action=Authenticate) followed shortly by a KCFinder upload request from the same session cookie — this sequence indicates exploitation. ↗
- →The multipart upload form-data field 'dir' is set to 'files', targeting the insufficiently privileged upload folder; detect this field value in upload requests to KCFinder. ↗
- ·The exploit requires valid credentials (authenticated RCE); default credentials of admin/admin are used in the Metasploit module, so instances with default credentials are at highest risk. ↗
- ·Vulnerability is confirmed only against vTiger CRM v5.4.0 and v5.3.0; the Metasploit check function returns Safe for other versions. ↗
- ·The root cause is insufficient privileges on the 'files' upload folder within KCFinder; hardening folder permissions on this directory will mitigate the vulnerability. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
vTiger CRM 5.3.0 5.4.0 - (Authenticated) Remote Code Execution (Metasploit)
exploitdb·2013-10-31
CVE-2013-3591 vTiger CRM 5.3.0 5.4.0 - (Authenticated) Remote Code Execution (Metasploit)
vTiger CRM 5.3.0 5.4.0 - (Authenticated) Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'vTigerCRM v5.4.0/v5.3.0 Authenticated Remote Code Execution',
'Description' => %q{
vTiger CRM allows an authenticated user to upload files to embed within documents.
Due to insufficient privileges on the 'files' upload folder, an attacker can upload a PHP
script and execute aribtrary PHP code remotely.
This module was tested against vTiger CRM v5.4.0 and v5.3.0.
},
'Author' =>
[
'Brandon Perry ' # Discovery / msf module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2013-3591'],
['URL', 'https://community.rapid7.com/community/
Metasploit
vTigerCRM v5.4.0/v5.3.0 Authenticated Remote Code Execution
metasploit
vTigerCRM v5.4.0/v5.3.0 Authenticated Remote Code Execution
vTigerCRM v5.4.0/v5.3.0 Authenticated Remote Code Execution
vTiger CRM allows an authenticated user to upload files to embed within documents. Due to insufficient privileges on the 'files' upload folder, an attacker can upload a PHP script and execute arbitrary PHP code remotely. This module was tested against vTiger CRM v5.4.0 and v5.3.0.
No writeups or analysis indexed.
http://www.exploit-db.com/exploits/29319http://www.securityfocus.com/bid/63454https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-foss-disclosures-part-onehttps://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treatshttp://www.exploit-db.com/exploits/29319http://www.securityfocus.com/bid/63454https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-foss-disclosures-part-onehttps://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats
2020-02-07
Published