cbcvebase.
CVE-2017-6090
published 2017-10-03

CVE-2017-6090: Unrestricted file upload vulnerability in clients/editclient.php in PhpCollab 2.5.1 and earlier allows remote authenticated users to execute arbitrary code by…

PriorityP184high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
96.07%
99.9th percentile
Unrestricted file upload vulnerability in clients/editclient.php in PhpCollab 2.5.1 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in logos_clients/.

Affected

1 ranges
VendorProductVersion rangeFixed in
phpcollabphpcollab<= 2.5.1

Detection & IOCsextracted from sources · hover to see the quote

path/clients/editclient.php
path/logos_clients/
url/clients/editclient.php?id=1&action=update
urlhttp://phpCollab.lan/logos_clients/1.php
filenamebackdoor.php
  • Detect GET requests to /logos_clients/*.php (or other executable extensions), which indicate an attacker triggering a previously uploaded webshell.
  • The uploaded file is stored as <id>.<extension> under logos_clients/; monitor for newly created PHP files in that directory on the web server filesystem.
  • Fingerprint exposed PhpCollab instances via Shodan/FOFA using the page title; these are likely vulnerable targets.
  • The Metasploit module generates a filename of the form <random_alpha>.php (e.g. 1.abcdefgh.php) as the upload filename; look for multipart uploads with double-extension .*.php filenames to /clients/editclient.php.
  • ·The NVD entry describes the vulnerability as requiring authentication ('remote authenticated users'), but the exploit-db PoC and Metasploit module demonstrate it is exploitable unauthenticated in practice.
  • ·The uploaded file is renamed server-side to <id>.<extension>, so the original filename in the upload request will not match the filename accessible under logos_clients/; detections must account for both the upload filename and the resulting server-side path.
  • ·The vulnerable code does not filter by extension at all — any extension (not just .php) can be uploaded and executed if the web server is configured to execute it.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.