cbcvebase.
CVE-2017-1000119
published 2017-10-05

CVE-2017-1000119: October CMS build 412 is vulnerable to PHP code execution in the file upload functionality resulting in site compromise and possibly other applications on the…

PriorityP265high7.2CVSS 3.0
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
61.35%
99.0th percentile
October CMS build 412 is vulnerable to PHP code execution in the file upload functionality resulting in site compromise and possibly other applications on the server.

Affected

2 ranges
VendorProductVersion rangeFixed in
octobercms0 – 1.0.412
octobercmsoctober

Detection & IOCsextracted from sources · hover to see the quote

url/backend/backend/auth/signin
url/backend/cms/media
url/storage/app/media/<payload>.php5
path/storage/app/media/
filename*.php5
otherX-OCTOBER-FILEUPLOAD: MediaManager-manager
othercontent-type: application/x-php
  • Detect POST requests to /backend/cms/media containing a .php5 file upload with the custom header X-OCTOBER-FILEUPLOAD: MediaManager-manager — this is the exact upload bypass vector used by the exploit.
  • Alert on any GET request to /storage/app/media/*.php5 (or other non-blacklisted PHP-executable extensions), which indicates a previously uploaded webshell is being triggered.
  • The exploit uses a blacklist bypass: .php5 extension is not in blockedExtensions(). Monitor for upload of files with extensions .php5, .php3, .php4, .phtml, etc. to the media manager path.
  • The default Metasploit payload used is php/meterpreter/reverse_tcp encoded with php/base64 — look for base64-encoded PHP payloads in uploaded files under /storage/app/media/.
  • Fingerprint exploit check: attacker probes GET /modules/system/assets/js/framework.js to confirm October CMS presence before launching the attack.
  • Uploaded payload filename is 8–13 random alpha characters followed by .php5 (e.g., abcdefgh.php5). Regex pattern for detection: [a-zA-Z]{8,13}\.php5
  • ·The exploit requires an authenticated session with media upload/management permissions — this is not an unauthenticated RCE. Detection should account for a preceding successful login to /backend/backend/auth/signin.
  • ·The module was tested specifically against October CMS v1.0.412 on Ubuntu; behavior on other OS/versions may differ.
  • ·The blacklist bypass relies on .php5 not being present in blockedExtensions(). If the target installation has a customized or patched blocklist, the bypass may not work with .php5 but other extensions could still be viable.

CVSS provenance

nvdv3.07.2HIGHCVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.