cbcvebase.
CVE-2017-18048
published 2018-01-23

CVE-2017-18048: Monstra CMS 3.0.4 allows users to upload arbitrary files, which leads to remote command execution on the server, for example because .php (lowercase) is…

PriorityP278high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
63.93%
99.1th percentile
Monstra CMS 3.0.4 allows users to upload arbitrary files, which leads to remote command execution on the server, for example because .php (lowercase) is blocked but .PHP (uppercase) is not.

Affected

2 ranges
VendorProductVersion rangeFixed in
monstramonstra<= 3.0.4
monstramonstra

Detection & IOCsextracted from sources · hover to see the quote

urladmin/index.php?id=filesmanager
  • Monitor file uploads to admin/index.php?id=filesmanager for files with extensions .pht or .phar, which bypass the CMS forbidden-types list blocking .php
  • Alert on multipart/form-data POST requests to admin/index.php?id=filesmanager containing filenames ending in .phar, .pht, or .php7
  • Detect the p0wny web shell by its HTML title string 'p0wny@shell:~#' in HTTP responses from the server, indicating a successfully uploaded and executed shell
  • ·The exploit requires authenticated access (Admin or Editor role); unauthenticated exploitation is not possible for this CVE
  • ·The forbidden-types bypass is extension-based; only specific non-blocked extensions (.phar, .pht, .php7) are exploitable — the CMS does block .php directly

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.