CVE-2016-1713
published 2017-04-14CVE-2016-1713: Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in…
PriorityP357high7.3CVSS 3.0
AVLACLPRLUIRSUCHIHAH
EXPLOIT
EPSS
16.56%
96.6th percentile
Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.4.0 allows remote authenticated users to execute arbitrary code by uploading a crafted image file with an executable extension, then accessing it via a direct request to the file in test/logo/. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-6000.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vtiger | vtiger_crm | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect multipart POST to index.php with action=CompanyDetailsSave containing a file upload with a PHP (or other executable) extension but Content-Type of image/jpeg — this is the content-type bypass used in the exploit. ↗
- →Alert on GET requests to /test/logo/*.php — uploaded PHP webshells are executed by directly requesting them under this path. ↗
- →Monitor for the CSRF token regex pattern in Vtiger login responses and subsequent authenticated POST to CompanyDetailsSave as an indicator of exploit automation. ↗
- →Flag any file written to the test/logo/ directory with a non-image extension (e.g., .php) on the Vtiger CRM server filesystem. ↗
- →The Metasploit module defaults to php/meterpreter/reverse_tcp payload encoded with php/base64 — detect base64-encoded PHP meterpreter stagers in uploaded files under test/logo/. ↗
- ·CVE-2016-1713 affects Vtiger CRM 6.4.0 and is an incomplete fix for CVE-2015-6000 (which affected 6.3.0); the Metasploit module and EDB-38345 were originally written and tested against v6.3.0, so detection logic should cover both versions. ↗
- ·Doc 3 (EDB-47392) references CVE-2016-1713 only incidentally in its references section; its actual vulnerability content describes Adobe ColdFusion 2018 / Symantec ASG and is unrelated to this CVE — disregard its IOCs for CVE-2016-1713 detections. ↗
- ·Exploitation requires authentication as an administrator; detections should be scoped to authenticated sessions (valid session cookie present) to reduce false positives. ↗
CVSS provenance
nvdv3.07.3HIGHCVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
nvdv2.08.5HIGHAV:N/AC:M/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Symantec Advanced Secure Gateway (ASG) / ProxySG - Unrestricted File Upload
exploitdb·2019-09-16·CVSS 6.8
CVE-2016-10258 [MEDIUM] Symantec Advanced Secure Gateway (ASG) / ProxySG - Unrestricted File Upload
Symantec Advanced Secure Gateway (ASG) / ProxySG - Unrestricted File Upload
---
===========Security Intelligence============
# Vendor Homepage: adobe.com
# Version: 2018
# Tested on: Adobe ColdFusion 2018
# Exploit Author: Pankaj Kumar Thakur (Nepal)
==========[Table of Contents]==============
* Overview
* Detailed description
* Thanks & Acknowledgements
* References
==========[Vulnerability Information]========
* Unrestricted file upload in Adobe ColdFusion 2018
* CWE-434
* Base Score: 6.8 MEDIUM
* Vector: AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
=========[ Overview]=========================
* System Affected: Adobe ColdFusion 2018
* Impact: Unrestricted file upload
=====[ Detailed description]=================
Unrestricted file upload vulnerability in the Symantec Advanced Secure Gate
Exploit-DB
Vtiger CRM 6.3.0 - (Authenticated) Arbitrary File Upload (Metasploit)
exploitdb·2018-03-30
CVE-2016-1713 Vtiger CRM 6.3.0 - (Authenticated) Arbitrary File Upload (Metasploit)
Vtiger CRM 6.3.0 - (Authenticated) Arbitrary File Upload (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Vtiger CRM 6.3.0 - Authenticated Arbitrary File Upload',
'Description' => %q{
Vtiger 6.3.0 CRM's administration interface allows for the upload of
a company logo.
Instead of uploading an image, an attacker may choose to upload a
file containing PHP code and
run this code by accessing the resulting PHP file.
This module was tested against vTiger CRM v6.3.0.
},
'Author' =>
[
'Benjamin Daniel Mussler', # Discoverys
'Touhid M.Shaikh ' # Metasploit Module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2015-6000'],
['CVE','2016-1713'],
['EDB', '38345'
Exploit-DB
vTiger CRM 6.3.0 - (Authenticated) Remote Code Execution
exploitdb·2015-09-28·CVSS 8.8
CVE-2016-1713 [HIGH] vTiger CRM 6.3.0 - (Authenticated) Remote Code Execution
vTiger CRM 6.3.0 - (Authenticated) Remote Code Execution
---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
# Exploit Title: Vtiger CRM
-----------------------------51732462825208
Content-Disposition: form-data; name="address"
[...]
The resulting PHP file can then be accessed at
[Vtiger URL]/test/logo/2.php
- --
Benjamin Daniel MUSSLER
Ix-Xgħajra, Malta Tel (MT) +356 9965 3798
Karlsruhe, Germany Tel (DE) +49 721 989 0150
Web: https://FL7.DE PGP: https://FL7.DE/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.21 (MingW32)
iQIcBAEBAgAGBQJWCVaeAAoJEAg0a3ng3v4f108P/0u+CUuUKSsSFiQt4S/HVAnw
5ykzNoZ/T1v0LUrItI1bZPeTyRr6VUandYclg68OM3VY0zc4x9161ScSlcnIitVO
AasvEw7mGguAR4Pe2i84LpPNvE6Bi+MJqU6vnBqZVmQMXUY8k+Mb0ufM/DMByLPj
dcozrAgI9ZQC3pnWiOPigD+gHe/AxY3Z1cxQLluOqBmMf7f3JXC+1dZt91EScu
Metasploit
Vtiger CRM - Authenticated Logo Upload RCE
metasploit
Vtiger CRM - Authenticated Logo Upload RCE
Vtiger CRM - Authenticated Logo Upload RCE
Vtiger 6.3.0 CRM's administration interface allows for the upload of a company logo. Instead of uploading an image, an attacker may choose to upload a file containing PHP code and run this code by accessing the resulting PHP file. This module was tested against vTiger CRM v6.3.0.
No writeups or analysis indexed.
http://b.fl7.de/2016/01/vtiger-crm-6.4-auth-rce.htmlhttp://www.openwall.com/lists/oss-security/2016/01/12/4http://www.openwall.com/lists/oss-security/2016/01/12/7https://www.exploit-db.com/exploits/44379/http://b.fl7.de/2016/01/vtiger-crm-6.4-auth-rce.htmlhttp://www.openwall.com/lists/oss-security/2016/01/12/4http://www.openwall.com/lists/oss-security/2016/01/12/7https://www.exploit-db.com/exploits/44379/
2017-04-14
Published