cbcvebase.
CVE-2018-11686
published 2019-07-03

CVE-2018-11686: The Publish Service in FlexPaper (later renamed FlowPaper) 2.3.6 allows remote code execution via setup.php and change_config.php.

PriorityP189critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
49.79%
98.8th percentile
The Publish Service in FlexPaper (later renamed FlowPaper) 2.3.6 allows remote code execution via setup.php and change_config.php.

Affected

1 ranges
VendorProductVersion rangeFixed in
flowpaperflexpaper<= 2.3.6

Detection & IOCsextracted from sources · hover to see the quote

path/php/change_config.php
path/php/setup.php
path/php/tiger_shell.php
url/php/tiger_shell.php?cmd=<CMD>&access=09877376116472742784324824mxmmxm
path/php/config/output.txt
commandGET /php/setup.php?step=4&PDF2SWF_PATH=echo+{{cmd_b}}+%7C+base64+-d+%7C+sh+%3Econfig/output.txt%3B HTTP/1.1
commandPOST /php/change_config.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded SAVE_CONFIG=1&SWF_Directory=config/
  • Detect exploitation attempt via POST to change_config.php with SAVE_CONFIG parameter
  • Detect RCE trigger via GET request to setup.php with step=4 and PDF2SWF_PATH parameter containing shell commands
  • Detect webshell access via tiger_shell.php with hardcoded access token 09877376116472742784324824mxmmxm in query string
  • A successful config-save step redirects to index.php?msg=Configuration%20saved! — presence of this redirect confirms the precondition for RCE is met
  • Monitor for creation or access of /php/config/output.txt, which is used to capture command output during exploitation
  • Shodan/FOFA exposure query: search for servers with title 'FlexPaper' to identify potentially vulnerable internet-facing instances
  • ·The exploit drops a webshell (tiger_shell.php) under /php/ with a hardcoded access token; defenders should scan for this file as a post-exploitation persistence indicator
  • ·The RCE chain requires two stages: first a POST to change_config.php to set SWF_Directory, then a GET to setup.php with a base64-encoded shell command in PDF2SWF_PATH — detection logic must account for both steps

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.