cbcvebase.
CVE-2015-6568
published 2017-04-14

CVE-2015-6568: Wolf CMS before 0.8.3.1 allows unrestricted file rename and PHP Code Execution because admin/plugin/file_manager/browse/ (aka the filemanager) does not prevent…

PriorityP264high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
10.55%
95.2th percentile
Wolf CMS before 0.8.3.1 allows unrestricted file rename and PHP Code Execution because admin/plugin/file_manager/browse/ (aka the filemanager) does not prevent a change of a file extension to ".php" after originally using the parameter "filename" for uploading a JPEG image. Exploitation requires a registered user who has access to upload functionality.

Affected

1 ranges
VendorProductVersion rangeFixed in
wolfcmswolf_cms<= 0.8.3

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://targetsite.com/wolfcms/?/admin/plugin/file_manager/browse/
url/?/admin/plugin/file_manager/upload/
url/?/admin/login/login/
path/public/
urlhttp://targetsite.com/wolfcms/public/hello.php
  • Monitor HTTP POST requests to the file_manager upload endpoint (/?/admin/plugin/file_manager/upload/) where the uploaded filename parameter contains a .php extension, indicating an attempt to upload a PHP webshell.
  • Detect multipart/form-data POST requests to /?/admin/plugin/file_manager/upload/ followed by a GET request to /wolfcms/public/<random>.php, which is the Metasploit exploitation pattern for this CVE.
  • Alert on any file with a .php extension appearing under the /wolfcms/public/ directory, as legitimate uploads should not place executable PHP files there.
  • Monitor for the vulnerable parameter 'filename' in POST requests to the filemanager browse/upload path, especially when the value ends in .php.
  • Inspect the Content-Type header of upload requests; the Metasploit module sends 'multipart/form-data; boundary=---------------------------<boundary>' to the upload endpoint — anomalous boundary patterns may indicate automated exploitation.
  • ·Exploitation requires an authenticated session; the attacker must first obtain valid credentials and log in via the admin login endpoint before abusing the file manager.
  • ·The Metasploit module targets Wolf CMS 0.8.2 specifically; the base URI defaults to '/wolfcms' but may differ in non-default deployments, affecting path-based detection rules.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vendor_redhat3.5LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.