cbcvebase.
CVE-2015-6567
published 2017-04-14

CVE-2015-6567: Wolf CMS before 0.8.3.1 allows unrestricted file upload and PHP Code Execution because admin/plugin/file_manager/browse/ (aka the filemanager) does not…

PriorityP265high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
10.84%
95.3th percentile
Wolf CMS before 0.8.3.1 allows unrestricted file upload and PHP Code Execution because admin/plugin/file_manager/browse/ (aka the filemanager) does not validate the parameter "filename" properly. Exploitation requires a registered user who has access to upload functionality.

Affected

1 ranges
VendorProductVersion rangeFixed in
wolfcmswolf_cms<= 0.8.3

Detection & IOCsextracted from sources · hover to see the quote

url/?/admin/plugin/file_manager/browse/
url/?/admin/plugin/file_manager/upload/
path/public/
filenamehello.php
  • Monitor HTTP POST requests to the file manager upload endpoint (/?/admin/plugin/file_manager/upload/) containing multipart/form-data with a PHP file extension in the filename parameter.
  • Alert on HTTP GET requests to /wolfcms/public/*.php, which indicates execution of an uploaded PHP webshell in the public directory.
  • The vulnerable parameter is 'filename' in the file manager browse/upload functionality; inspect multipart upload requests for PHP file extensions in this parameter.
  • Uploaded PHP payloads are accessible under the /wolfcms/public/ path immediately after upload; monitor web server access logs for .php file access under this directory.
  • ·Exploitation requires an authenticated session; the attacker must first obtain valid credentials for a user with upload/file manager access before the file upload attack can proceed.
  • ·The Metasploit module extracts a CSRF token from the file manager browse page before uploading; detection logic should account for a GET to the browse page immediately followed by a POST to the upload endpoint from the same session.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.