cbcvebase.
CVE-2014-5468
published 2020-02-07

CVE-2014-5468: A File Inclusion vulnerability exists in Railo 4.2.1 and earlier via a specially-crafted URL request to the thumbnail.cfm to specify a malicious PNG file…

PriorityP271high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
52.56%
98.8th percentile
A File Inclusion vulnerability exists in Railo 4.2.1 and earlier via a specially-crafted URL request to the thumbnail.cfm to specify a malicious PNG file, which could let a remote malicious user obtain sensitive information or execute arbitrary code.

Affected

1 ranges
VendorProductVersion rangeFixed in
getrailorailo<= 4.2.1.000

Detection & IOCsextracted from sources · hover to see the quote

path/railo-context/admin/thumbnail.cfm
path/railo-context/admin/img.cfm
path../../../../temp/admin-ext-thumbnails/
filenamethumbnail.cfm
  • Monitor HTTP requests to /railo-context/admin/thumbnail.cfm with an external 'img' parameter pointing to a remote URL, which indicates RFI exploitation attempt.
  • Detect directory traversal in requests to img.cfm via the 'attributes.src' parameter containing '../../../../temp/admin-ext-thumbnails/' to identify second-stage payload execution.
  • Alert on HTTP 500 responses from the Railo server following a GET to thumbnail.cfm with external img, height, and width parameters — the exploit expects a 500 to confirm successful staging.
  • Detect the 'thistag.executionmode=start' query parameter in requests to img.cfm, which is a specific indicator of the directory-traversal/CFML execution step of this exploit chain.
  • A PNG file served with embedded CFML markup (cold fusion markup appended to PNG) is used as the stager; inspect files written to temp/admin-ext-thumbnails/ for CFML content.
  • Use the known MD5 of /res/images/id.png (6de48cb72421cfabdce440077a921b25) to fingerprint unpatched Railo 4.2.1 instances during scanning.
  • ·The default TARGETURI for the Metasploit module is '/railo-context/'; deployments with a non-default base URI will use a different path prefix, so detections should account for variable base paths.
  • ·The exploit requires SRVHOST to be a routable IP address reachable by the target server; exploitation will fail if the attacker host is not externally accessible, limiting attack surface to network-reachable scenarios.
  • ·The hash used to reference the staged file in temp/admin-ext-thumbnails/ is computed as MD5 of '<stager_url>-5000-5000' (width/height hardcoded to 5000), uppercased — detection rules should account for this naming pattern.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.