CVE-2018-19422
published 2018-11-21CVE-2018-19422: /panel/uploads in Subrion CMS 4.2.1 allows remote attackers to execute arbitrary PHP code via a .pht or .phar file, because the .htaccess file omits these.
PriorityP267high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
64.26%
99.1th percentile
/panel/uploads in Subrion CMS 4.2.1 allows remote attackers to execute arbitrary PHP code via a .pht or .phar file, because the .htaccess file omits these.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| intelliants | subrion | >= 0 < 4.2.2 | 4.2.2 |
| intelliants | subrion_cms | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST requests to /panel/uploads/read.json uploading files with .phar, .pht, or .xhtml extensions — these bypass the .htaccess blacklist and are the exploit delivery mechanism. ↗
- →Alert on GET requests to /uploads/*.phar, /uploads/*.pht, or /uploads/*.xhtml containing a ?cmd= query parameter, indicating webshell command execution post-upload. ↗
- →Flag multipart file uploads to /panel/uploads/read.json where the uploaded filename has a .phar, .pht, or .xhtml extension — the exploit uses a randomized base name with these extensions. ↗
- ·The exploit requires prior authentication; unauthenticated exploitation is not possible. Detection should account for a valid authenticated session preceding the malicious upload. ↗
- ·The uploaded .phar webshell uses a randomized filename, so static filename-based detection will not be reliable; pattern-based detection on the extension and upload path is required. ↗
- ·The webshell deletes itself after use, limiting forensic artifact recovery from disk; network-based detection of the ?cmd= execution pattern is more reliable. ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Subrion CMS RCE Vulnerability
osv·2022-05-13
CVE-2018-19422 [HIGH] Subrion CMS RCE Vulnerability
Subrion CMS RCE Vulnerability
`/panel/uploads` in Subrion CMS 4.2.1 allows remote attackers to execute arbitrary PHP code via a .pht or .phar file, because the .htaccess file omits these.
GHSA
Subrion CMS RCE Vulnerability
ghsa·2022-05-13
CVE-2018-19422 [HIGH] CWE-434 Subrion CMS RCE Vulnerability
Subrion CMS RCE Vulnerability
`/panel/uploads` in Subrion CMS 4.2.1 allows remote attackers to execute arbitrary PHP code via a .pht or .phar file, because the .htaccess file omits these.
No detection rules found.
Exploit-DB
Subrion CMS 4.2.1 - Arbitrary File Upload
exploitdb·2021-05-17·CVSS 7.2
CVE-2018-19422 [HIGH] Subrion CMS 4.2.1 - Arbitrary File Upload
Subrion CMS 4.2.1 - Arbitrary File Upload
---
# Exploit Title: Subrion CMS 4.2.1 - File Upload Bypass to RCE (Authenticated)
# Date: 17/05/2021
# Exploit Author: Fellipe Oliveira
# Vendor Homepage: https://subrion.org/
# Software Link: https://github.com/intelliants/subrion
# Version: SubrionCMS 4.2.1
# Tested on: Debian9, Debian 10 and Ubuntu 16.04
# CVE: CVE-2018-19422
# Exploit Requirements: BeautifulSoup library
# https://github.com/intelliants/subrion/issues/801
#!/usr/bin/python3
import requests
import time
import optparse
import random
import string
from bs4 import BeautifulSoup
parser = optparse.OptionParser()
parser.add_option('-u', '--url', action="store", dest="url", help="Base target uri http://target/panel")
parser.add_option('-l', '--user', action="store", dest="user", h
Metasploit
Intelliants Subrion CMS 4.2.1 - Authenticated File Upload Bypass to RCE
metasploit
Intelliants Subrion CMS 4.2.1 - Authenticated File Upload Bypass to RCE
Intelliants Subrion CMS 4.2.1 - Authenticated File Upload Bypass to RCE
This module exploits an authenticated file upload vulnerability in Subrion CMS versions 4.2.1 and lower. The vulnerability is caused by the .htaccess file not preventing the execution of .pht, .phar, and .xhtml files. Files with these extensions are not included in the .htaccess blacklist, hence these files can be uploaded and executed to achieve remote code execution. In this module, a .phar file with a randomized name is uploaded and executed to receive a Meterpreter session on the target, then deletes itself afterwards.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/162591/Subrion-CMS-4.2.1-Shell-Upload.htmlhttp://packetstormsecurity.com/files/173998/Intelliants-Subrion-CMS-4.2.1-Remote-Code-Execution.htmlhttps://github.com/intelliants/subrion/issues/801http://packetstormsecurity.com/files/162591/Subrion-CMS-4.2.1-Shell-Upload.htmlhttp://packetstormsecurity.com/files/173998/Intelliants-Subrion-CMS-4.2.1-Remote-Code-Execution.htmlhttps://github.com/intelliants/subrion/issues/801
2018-11-21
Published