CVE-2018-17553
published 2018-10-03CVE-2018-17553: An "Unrestricted Upload of File with Dangerous Type" issue with directory traversal in navigate_upload.php in Naviwebs Navigate CMS 2.8 allows authenticated…
PriorityP180high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
78.99%
99.5th percentile
An "Unrestricted Upload of File with Dangerous Type" issue with directory traversal in navigate_upload.php in Naviwebs Navigate CMS 2.8 allows authenticated attackers to achieve remote code execution via a POST request with engine=picnik and id=../../../navigate_info.php.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| naviwebs | navigate_cms | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST requests to navigate_upload.php containing query parameters engine=picnik and id= with path traversal sequences (e.g., ../) targeting navigate_info.php ↗
- →Alert on session cookies matching the pattern NVSID_* obtained immediately after a POST to login.php with the SQLi bypass cookie, indicating successful auth bypass ↗
- →Monitor for multipart/form-data file uploads to navigate_upload.php where the uploaded file has a JPEG content-type but contains PHP code, indicating disguised webshell upload ↗
- →Detect GET requests to /navigate/navigate_info.php shortly after a POST upload to navigate_upload.php, which is the payload trigger step of the exploit chain ↗
- ·The exploit chains CVE-2018-17552 (authentication bypass via SQL injection in navigate-user cookie) with CVE-2018-17553 (file upload path traversal). Detection must cover both steps; blocking only the upload endpoint is insufficient if the auth bypass is not also detected. ↗
- ·The GET query parameters (session_id, engine, id) in the upload request are shuffled in order by the Metasploit module, so detection rules should not rely on a fixed parameter order. ↗
- ·The module overwrites navigate_info.php with an empty string after session establishment to clean up; forensic analysis of navigate_info.php content may show an empty file post-exploitation rather than a webshell. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Navigate CMS - (Unauthenticated) Remote Code Execution (Metasploit)
exploitdb·2018-10-08
CVE-2018-17553 Navigate CMS - (Unauthenticated) Remote Code Execution (Metasploit)
Navigate CMS - (Unauthenticated) Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Navigate CMS Unauthenticated Remote Code Execution',
'Description' => %q(
This module exploits insufficient sanitization in the database::protect
method, of Navigate CMS versions 2.8 and prior, to bypass authentication.
The module then uses a path traversal vulnerability in navigate_upload.php
that allows authenticated users to upload PHP files to arbitrary locations.
Together these vulnerabilities allow an unauthenticated attacker to
execute arbitrary PHP code remotely.
This module was tested against Navigate CMS 2.8.
),
'Author' =>
[
'Pyriphlegethon' #
Metasploit
Navigate CMS Unauthenticated Remote Code Execution
metasploit
Navigate CMS Unauthenticated Remote Code Execution
Navigate CMS Unauthenticated Remote Code Execution
This module exploits insufficient sanitization in the database::protect method, of Navigate CMS versions 2.8 and prior, to bypass authentication. The module then uses a path traversal vulnerability in navigate_upload.php that allows authenticated users to upload PHP files to arbitrary locations. Together these vulnerabilities allow an unauthenticated attacker to execute arbitrary PHP code remotely. This module was tested against Navigate CMS 2.8.
No writeups or analysis indexed.
https://github.com/NavigateCMS/Navigate-CMS/commit/2bdcb8b3c5bb23851a2115db96585f1ac8cb2d1ehttps://github.com/rapid7/metasploit-framework/pull/10704https://www.exploit-db.com/exploits/45561/https://github.com/NavigateCMS/Navigate-CMS/commit/2bdcb8b3c5bb23851a2115db96585f1ac8cb2d1ehttps://github.com/rapid7/metasploit-framework/pull/10704https://www.exploit-db.com/exploits/45561/
2018-10-03
Published