CVE-2017-18048
published 2018-01-23CVE-2017-18048: Monstra CMS 3.0.4 allows users to upload arbitrary files, which leads to remote command execution on the server, for example because .php (lowercase) is…
PriorityP278high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
63.93%
99.1th percentile
Monstra CMS 3.0.4 allows users to upload arbitrary files, which leads to remote command execution on the server, for example because .php (lowercase) is blocked but .PHP (uppercase) is not.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| monstra | monstra | <= 3.0.4 | — |
| monstra | monstra | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor file uploads to admin/index.php?id=filesmanager for files with extensions .pht or .phar, which bypass the CMS forbidden-types list blocking .php ↗
- →Alert on multipart/form-data POST requests to admin/index.php?id=filesmanager containing filenames ending in .phar, .pht, or .php7 ↗
- →Detect the p0wny web shell by its HTML title string 'p0wny@shell:~#' in HTTP responses from the server, indicating a successfully uploaded and executed shell ↗
- ·The exploit requires authenticated access (Admin or Editor role); unauthenticated exploitation is not possible for this CVE ↗
- ·The forbidden-types bypass is extension-based; only specific non-blocked extensions (.phar, .pht, .php7) are exploitable — the CMS does block .php directly ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-m622-8qr4-g6gf: Monstra CMS 3
ghsa_unreviewed·2022-05-24·CVSS 8.8
CVE-2020-13384 [HIGH] GHSA-m622-8qr4-g6gf: Monstra CMS 3
Monstra CMS 3.0.4 allows remote authenticated users to upload and execute arbitrary PHP code via admin/index.php?id=filesmanager because, for example, .php filenames are blocked but .php7 filenames are not, a related issue to CVE-2017-18048.
GHSA
GHSA-9gjw-qvrh-6f5r: Monstra CMS 3
ghsa_unreviewed·2022-05-14
CVE-2017-18048 [HIGH] CWE-434 GHSA-9gjw-qvrh-6f5r: Monstra CMS 3
Monstra CMS 3.0.4 allows users to upload arbitrary files, which leads to remote command execution on the server, for example because .php (lowercase) is blocked but .PHP (uppercase) is not.
GHSA
GHSA-4cjq-7wr8-ccw5: Monstra CMS through 3
ghsa_unreviewed·2022-05-13·CVSS 8.8
CVE-2018-6383 [HIGH] CWE-184 GHSA-4cjq-7wr8-ccw5: Monstra CMS through 3
Monstra CMS through 3.0.4 has an incomplete "forbidden types" list that excludes .php (and similar) file extensions but not the .pht or .phar extension, which allows remote authenticated Admins or Editors to execute arbitrary PHP code by uploading a file, a different vulnerability than CVE-2017-18048.
No detection rules found.
Exploit-DB
Monstra CMS 3.0.4 - Remote Code Execution (Authenticated)
exploitdb·2021-06-04·CVSS 8.8
CVE-2018-6383 [HIGH] Monstra CMS 3.0.4 - Remote Code Execution (Authenticated)
Monstra CMS 3.0.4 - Remote Code Execution (Authenticated)
---
# Exploit Title: Monstra CMS 3.0.4 - Remote Code Execution (Authenticated)
# Date: 03.06.2021
# Exploit Author: Ron Jost (hacker5preme)
# Vendor Homepage: https://monstra.org/
# Software Link: https://monstra.org/monstra-3.0.4.zip
# Version: 3.0.4
# Tested on: Ubuntu 20.04
# CVE: CVE-2018-6383
# Documentation: https://github.com/Hacker5preme/Exploits#CVE-2018-6383-Exploit
'''
Description:
Monstra CMS through 3.0.4 has an incomplete "forbidden types" list that excludes .php (and similar) file extensions
but not the .pht or .phar extension, which allows remote authenticated Admins or Editors to execute arbitrary PHP code
by uploading a file, a different vulnerability than CVE-2017-18048.
'''
'''
Import required modules:
'''
i
Metasploit
Monstra CMS Authenticated Arbitrary File Upload
metasploit
Monstra CMS Authenticated Arbitrary File Upload
Monstra CMS Authenticated Arbitrary File Upload
MonstraCMS 3.0.4 allows users to upload Arbitrary files which leads to remote command execution on the remote server. An attacker may choose to upload a file containing PHP code and run this code by accessing the resulting PHP file. This module was tested against MonstraCMS 3.0.4.
No writeups or analysis indexed.
https://blogs.securiteam.com/index.php/archives/3559https://github.com/monstra-cms/monstra/issues/426https://securityprince.blogspot.in/2017/12/monstra-cms-304-arbitrary-file-upload.htmlhttps://www.exploit-db.com/exploits/43348/https://blogs.securiteam.com/index.php/archives/3559https://github.com/monstra-cms/monstra/issues/426https://securityprince.blogspot.in/2017/12/monstra-cms-304-arbitrary-file-upload.htmlhttps://www.exploit-db.com/exploits/43348/
2018-01-23
Published