CVE-2015-3884
published 2017-03-17CVE-2015-3884: Unrestricted file upload vulnerability in the (1) myAccount, (2) projects, (3) tasks, (4) tickets, (5) discussions, (6) reports, and (7) scheduler pages in…
PriorityP272high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
14.40%
96.2th percentile
Unrestricted file upload vulnerability in the (1) myAccount, (2) projects, (3) tasks, (4) tickets, (5) discussions, (6) reports, and (7) scheduler pages in qdPM 8.3 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in uploads/attachments/ or uploads/users/.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| qdpm | qdpm | <= 9.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for file uploads with executable extensions to the uploads/attachments/ and uploads/users/ directories in qdPM installations, followed by direct HTTP GET requests to those paths — this two-stage pattern (upload then access) is the exploitation sequence. ↗
- →The qdPM 9.1 bypass variant abuses the users['photop_preview'] delete photo feature with a path traversal to circumvent .htaccess protections and upload malicious PHP files via the profile photo functionality. ↗
- →Alert on authenticated POST requests uploading PHP or other executable files through the profile photo upload endpoint in qdPM, as this is the specific attack vector used for RCE. ↗
- →The vulnerability is exploitable across multiple qdPM pages: myAccount, projects, tasks, tickets, discussions, reports, and scheduler — monitor file upload activity on all these endpoints. ↗
- →The qdPM upload_exec Metasploit module targets the user profile photo upload feature; detect exploitation attempts by correlating authenticated sessions with multipart file upload requests containing executable file extensions. ↗
- ·CVE-2015-3884 was incompletely fixed; qdPM 9.1 and earlier remain vulnerable via the path traversal bypass of .htaccess, meaning patching to versions between 8.3 and 9.1 may not fully remediate the issue. ↗
- ·Exploitation requires valid credentials to the qdPM application; detections should account for authenticated attacker sessions, not just anonymous upload attempts. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-c89p-wjj4-mr4g: A remote code execution (RCE) vulnerability exists in qdPM 9
ghsa_unreviewed·2022-05-24·CVSS 8.8
CVE-2020-7246 [HIGH] CWE-22 GHSA-c89p-wjj4-mr4g: A remote code execution (RCE) vulnerability exists in qdPM 9
A remote code execution (RCE) vulnerability exists in qdPM 9.1 and earlier. An attacker can upload a malicious PHP code file via the profile photo functionality, by leveraging a path traversal vulnerability in the users['photop_preview'] delete photo feature, allowing bypass of .htaccess protection. NOTE: this issue exists because of an incomplete fix for CVE-2015-3884.
GHSA
GHSA-v3rx-h663-g7gx: Unrestricted file upload vulnerability in the (1) myAccount, (2) projects, (3) tasks, (4) tickets, (5) discussions, (6) reports, and (7) scheduler pag
ghsa_unreviewed·2022-05-17
CVE-2015-3884 [CRITICAL] CWE-434 GHSA-v3rx-h663-g7gx: Unrestricted file upload vulnerability in the (1) myAccount, (2) projects, (3) tasks, (4) tickets, (5) discussions, (6) reports, and (7) scheduler pag
Unrestricted file upload vulnerability in the (1) myAccount, (2) projects, (3) tasks, (4) tickets, (5) discussions, (6) reports, and (7) scheduler pages in qdPM 8.3 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in uploads/attachments/ or uploads/users/.
No detection rules found.
Metasploit
qdPM 9.1 Authenticated Arbitrary PHP File Upload (RCE)
metasploit·CVSS 8.8
CVE-2015-3884 [HIGH] qdPM 9.1 Authenticated Arbitrary PHP File Upload (RCE)
qdPM 9.1 Authenticated Arbitrary PHP File Upload (RCE)
A remote code execution (RCE) vulnerability exists in qdPM 9.1 and earlier. An attacker can upload a malicious PHP code file via the profile photo functionality, by leveraging a path traversal vulnerability in the users['photop_preview'] delete photo feature, allowing bypass of .htaccess protection. NOTE: this issue exists because of an incomplete fix for CVE-2015-3884.
Metasploit
qdPM v7 Arbitrary PHP File Upload Vulnerability
metasploit
qdPM v7 Arbitrary PHP File Upload Vulnerability
qdPM v7 Arbitrary PHP File Upload Vulnerability
This module exploits a vulnerability found in qdPM - a web-based project management software. The user profile's photo upload feature can be abused to upload any arbitrary file onto the victim server machine, which allows remote code execution. Please note in order to use this module, you must have a valid credential to sign in.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/168559/qdPM-9.1-Authenticated-Shell-Upload.htmlhttp://rossmarks.uk/portfolio.phphttp://rossmarks.uk/whitepapers/qdPM_8.3.txthttp://packetstormsecurity.com/files/168559/qdPM-9.1-Authenticated-Shell-Upload.htmlhttp://rossmarks.uk/portfolio.phphttp://rossmarks.uk/whitepapers/qdPM_8.3.txt
2017-03-17
Published