CVE-2017-1000119
published 2017-10-05CVE-2017-1000119: October CMS build 412 is vulnerable to PHP code execution in the file upload functionality resulting in site compromise and possibly other applications on the…
PriorityP265high7.2CVSS 3.0
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
61.35%
99.0th percentile
October CMS build 412 is vulnerable to PHP code execution in the file upload functionality resulting in site compromise and possibly other applications on the server.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| october | cms | 0 – 1.0.412 | — |
| octobercms | october | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST requests to /backend/cms/media containing a .php5 file upload with the custom header X-OCTOBER-FILEUPLOAD: MediaManager-manager — this is the exact upload bypass vector used by the exploit. ↗
- →Alert on any GET request to /storage/app/media/*.php5 (or other non-blacklisted PHP-executable extensions), which indicates a previously uploaded webshell is being triggered. ↗
- →The exploit uses a blacklist bypass: .php5 extension is not in blockedExtensions(). Monitor for upload of files with extensions .php5, .php3, .php4, .phtml, etc. to the media manager path. ↗
- →The default Metasploit payload used is php/meterpreter/reverse_tcp encoded with php/base64 — look for base64-encoded PHP payloads in uploaded files under /storage/app/media/. ↗
- →Fingerprint exploit check: attacker probes GET /modules/system/assets/js/framework.js to confirm October CMS presence before launching the attack. ↗
- →Uploaded payload filename is 8–13 random alpha characters followed by .php5 (e.g., abcdefgh.php5). Regex pattern for detection: [a-zA-Z]{8,13}\.php5 ↗
- ·The exploit requires an authenticated session with media upload/management permissions — this is not an unauthenticated RCE. Detection should account for a preceding successful login to /backend/backend/auth/signin. ↗
- ·The module was tested specifically against October CMS v1.0.412 on Ubuntu; behavior on other OS/versions may differ. ↗
- ·The blacklist bypass relies on .php5 not being present in blockedExtensions(). If the target installation has a customized or patched blocklist, the bypass may not work with .php5 but other extensions could still be viable. ↗
CVSS provenance
nvdv3.07.2HIGHCVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
October CMS PHP Code Execution
osv·2022-05-13
CVE-2017-1000119 [HIGH] October CMS PHP Code Execution
October CMS PHP Code Execution
October CMS build 412 is vulnerable to PHP code execution in the file upload functionality resulting in site compromise and possibly other applications on the server.
GHSA
October CMS PHP Code Execution
ghsa·2022-05-13
CVE-2017-1000119 [HIGH] CWE-434 October CMS PHP Code Execution
October CMS PHP Code Execution
October CMS build 412 is vulnerable to PHP code execution in the file upload functionality resulting in site compromise and possibly other applications on the server.
No detection rules found.
Exploit-DB
October CMS - Upload Protection Bypass Code Execution (Metasploit)
exploitdb·2019-09-10
CVE-2017-1000119 October CMS - Upload Protection Bypass Code Execution (Metasploit)
October CMS - Upload Protection Bypass Code Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'October CMS Upload Protection Bypass Code Execution',
'Description' => %q{
This module exploits an Authenticated user with permission to upload and manage media contents can
upload various files on the server. Application prevents the user from
uploading PHP code by checking the file extension. It uses black-list based
approach, as seen in octobercms/vendor/october/rain/src/Filesystem/
Definitions.php:blockedExtensions().
This module was tested on October CMS version v1.0.412 on Ubuntu.
},
'Author' =>
[
'Anti Räis', # Discovery
'Touhid M.Shaikh ', # Metasplo
Metasploit
October CMS Upload Protection Bypass Code Execution
metasploit
October CMS Upload Protection Bypass Code Execution
October CMS Upload Protection Bypass Code Execution
This module exploits an Authenticated user with permission to upload and manage media contents can upload various files on the server. Application prevents the user from uploading PHP code by checking the file extension. It uses black-list based approach, as seen in octobercms/vendor/october/rain/src/Filesystem/ Definitions.php:blockedExtensions(). This module was tested on October CMS version v1.0.412 on Ubuntu.
No writeups or analysis indexed.
2017-10-05
Published