CVE-2018-20166
published 2019-01-02CVE-2018-20166: A file-upload vulnerability exists in Rukovoditel 2.3.1. index.php?module=configuration/save allows the user to upload a background image, and mishandles…
PriorityP262high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
7.12%
93.5th percentile
A file-upload vulnerability exists in Rukovoditel 2.3.1. index.php?module=configuration/save allows the user to upload a background image, and mishandles extension checking. It accepts uploads of PHP content if the first few characters match GIF data, and the filename ends in ".php" with mixed case, such as the .pHp extension.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rukovoditel | rukovoditel | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect PHP webshell upload attempts to Rukovoditel's configuration/save endpoint where the uploaded filename ends in a mixed-case .php extension (e.g., .pHp, .Php, .PhP) and the file content begins with GIF magic bytes. ↗
- →Monitor POST requests to /index.php?module=configuration/save containing multipart/form-data with a filename matching the regex \.[pP][hH][pP] as an indicator of exploitation. ↗
- →Alert on GET requests to /uploads/ following a POST to /index.php?module=configuration/save, which indicates the attacker is executing the uploaded webshell. ↗
- →Detect the session cookie pattern 'cookie_test=please_accept_for_session' in HTTP requests, which is a static string used by the Metasploit exploit module for this CVE. ↗
- ·The exploit requires authenticated access; detection should account for a prior successful login POST to /index.php?module=users/login&action=login before the malicious upload occurs. ↗
- ·The .htaccess file blocks many file extensions, so the bypass specifically relies on mixed-case PHP extensions that evade the case-sensitive extension blacklist. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
https://pentest.com.tr/exploits/Rukovoditel-Project-Management-CRM-2-3-1-Authenticated-Remote-Code-Execution.htmlhttps://www.exploit-db.com/exploits/46011https://pentest.com.tr/exploits/Rukovoditel-Project-Management-CRM-2-3-1-Authenticated-Remote-Code-Execution.htmlhttps://www.exploit-db.com/exploits/46011
2019-01-02
Published