CVE-2017-6090
published 2017-10-03CVE-2017-6090: Unrestricted file upload vulnerability in clients/editclient.php in PhpCollab 2.5.1 and earlier allows remote authenticated users to execute arbitrary code by…
PriorityP184high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
96.07%
99.9th percentile
Unrestricted file upload vulnerability in clients/editclient.php in PhpCollab 2.5.1 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in logos_clients/.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| phpcollab | phpcollab | <= 2.5.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect GET requests to /logos_clients/*.php (or other executable extensions), which indicate an attacker triggering a previously uploaded webshell. ↗
- →The uploaded file is stored as <id>.<extension> under logos_clients/; monitor for newly created PHP files in that directory on the web server filesystem. ↗
- →Fingerprint exposed PhpCollab instances via Shodan/FOFA using the page title; these are likely vulnerable targets. ↗
- →The Metasploit module generates a filename of the form <random_alpha>.php (e.g. 1.abcdefgh.php) as the upload filename; look for multipart uploads with double-extension .*.php filenames to /clients/editclient.php. ↗
- ·The NVD entry describes the vulnerability as requiring authentication ('remote authenticated users'), but the exploit-db PoC and Metasploit module demonstrate it is exploitable unauthenticated in practice. ↗
- ·The uploaded file is renamed server-side to <id>.<extension>, so the original filename in the upload request will not match the filename accessible under logos_clients/; detections must account for both the upload filename and the resulting server-side path. ↗
- ·The vulnerable code does not filter by extension at all — any extension (not just .php) can be uploaded and executed if the web server is configured to execute it. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-937h-6g5c-rjx5: Unrestricted file upload vulnerability in clients/editclient
ghsa_unreviewed·2022-05-14
CVE-2017-6090 [HIGH] CWE-434 GHSA-937h-6g5c-rjx5: Unrestricted file upload vulnerability in clients/editclient
Unrestricted file upload vulnerability in clients/editclient.php in PhpCollab 2.5.1 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in logos_clients/.
VulnCheck
phpcollab phpcollab Unrestricted Upload of File with Dangerous Type
vulncheck·2017·CVSS 8.8
CVE-2017-6090 [HIGH] phpcollab phpcollab Unrestricted Upload of File with Dangerous Type
phpcollab phpcollab Unrestricted Upload of File with Dangerous Type
Unrestricted file upload vulnerability in clients/editclient.php in PhpCollab 2.5.1 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in logos_clients/.
Affected: phpcollab phpcollab
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-04&host_type=src&vulnerability=cve-2017-6090; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-13&host_type=src&vulner
No detection rules found.
Exploit-DB
phpCollab 2.5.1 - File Upload (Metasploit)
exploitdb·2018-01-11
CVE-2017-6090 phpCollab 2.5.1 - File Upload (Metasploit)
phpCollab 2.5.1 - File Upload (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'phpCollab 2.5.1 Unauthenticated File Upload',
'Description' => %q{
This module exploits a file upload vulnerability in phpCollab 2.5.1
which could be abused to allow unauthenticated users to execute arbitrary code
under the context of the web server user.
The exploit has been tested on Ubuntu 16.04.3 64-bit
},
'Author' =>
[
'Nicolas SERRA ', # Vulnerability discovery
'Nick Marcoccio "1oopho1e" ', # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2017-6090' ],
[ 'EDB', '42934' ],
[ 'URL', 'http://www.phpcollab.com/' ],
[ 'URL', 'https://sysdream.com/news/
Exploit-DB
phpCollab 2.5.1 - Arbitrary File Upload
exploitdb·2017-10-02·CVSS 8.8
CVE-2017-6090 [HIGH] phpCollab 2.5.1 - Arbitrary File Upload
phpCollab 2.5.1 - Arbitrary File Upload
---
# [CVE-2017-6090] PhpCollab 2.5.1 Arbitrary File Upload (unauthenticated)
## Description
PhpCollab is an open source web-based project management system, that enables collaboration across the Internet.
## Arbitrary File Upload
The phpCollab code does not correctly filter uploaded file contents. An unauthenticated attacker may upload and execute arbitrary code.
**CVE ID**: CVE-2017-6090
**Access Vector**: remote
**Security Risk**: Critical
**Vulnerability**: CWE-434
**CVSS Base Score**: 10 (Critical)
**CVSS Vector String**: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
### Proof of Concept
The following HTTP request allows an attacker to upload a malicious php file, without authentication.
Thus, a file named after `$id.extension` is c
Nuclei
PhpColl 2.5.1 Arbitrary File Upload
nuclei·CVSS 8.8
CVE-2017-6090 [HIGH] PhpColl 2.5.1 Arbitrary File Upload
PhpColl 2.5.1 Arbitrary File Upload
PhpCollab 2.5.1 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in logos_clients/ via clients/editclient.php.
Template:
id: CVE-2017-6090
info:
name: PhpColl 2.5.1 Arbitrary File Upload
author: pikpikcu
severity: high
description: PhpCollab 2.5.1 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in logos_clients/ via clients/editclient.php.
impact: |
Successful exploitation of this vulnerability can result in unauthorized remote code execution on the affected system.
remediation: |
Apply the latest patch or
Metasploit
phpCollab 2.5.1 Unauthenticated File Upload
metasploit
phpCollab 2.5.1 Unauthenticated File Upload
phpCollab 2.5.1 Unauthenticated File Upload
This module exploits a file upload vulnerability in phpCollab 2.5.1 which could be abused to allow unauthenticated users to execute arbitrary code under the context of the web server user. The exploit has been tested on Ubuntu 16.04.3 64-bit
https://sysdream.com/news/lab/2017-09-29-cve-2017-6090-phpcollab-2-5-1-arbitrary-file-upload-unauthenticated/https://www.exploit-db.com/exploits/42934/https://www.exploit-db.com/exploits/43519/https://sysdream.com/news/lab/2017-09-29-cve-2017-6090-phpcollab-2-5-1-arbitrary-file-upload-unauthenticated/https://www.exploit-db.com/exploits/42934/https://www.exploit-db.com/exploits/43519/
2017-10-03
Published
Exploited in the wild