CVE-2018-6411
published 2018-05-26CVE-2018-6411: An issue was discovered in Appnitro MachForm before 4.2.3. When the form is set to filter a blacklist, it automatically adds dangerous extensions to the…
PriorityP261critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
5.88%
92.3th percentile
An issue was discovered in Appnitro MachForm before 4.2.3. When the form is set to filter a blacklist, it automatically adds dangerous extensions to the filters. If the filter is set to a whitelist, the dangerous extensions can be bypassed through ap_form_elements SQL Injection.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| machform | machform | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttp://[URL]/[Machform_folder]/download.php?q=ZWw9IChTRUxFQ1QgMSBGUk9NKFNFTEVDVCBDT1VOVCgqKSxDT05DQVQoMHgyMDIwLChTRUxFQ1QgTUlEKCh1c2VyX2VtYWlsKSwxLDUwKSBGUk9NIGFwX3VzZXJzIE9SREVSIEJZIHVzZXJfaWQgTElNSVQgMCwxKSwweDIwMjAsRkxPT1IoUkFORCgwKSoyKSl4IEZST00gSU5GT1JNQVRJT05fU0NIRU1BLkNIQVJBQ1RFUl9TRVRTIEdST1VQIEJZIHgpYSkgOyZpZD0xJmhhc2g9MSZmb3JtX2lkPTE=↗
commandupdate ap_form_elements set element_file_type_list="php", element_file_block_or_allow="a" where form_id=58009 and element_id=4;↗
- →Alert on SQL UPDATE statements targeting the 'ap_form_elements' table that set 'element_file_block_or_allow' to 'a' (allow) and 'element_file_type_list' to dangerous extensions such as 'php', indicating whitelist bypass for arbitrary file upload. ↗
- →Use Google dorks to identify exposed MachForm instances: search for 'machform' combined with inurl:"view.php" or inurl:"embed.php" to find potentially vulnerable deployments. ↗
- →Monitor web server access logs for GET requests to the /data/form_*/files/ directory path, which is where uploaded webshells would be stored and executed after a successful upload bypass. ↗
- ·The file upload filter bypass (CVE-2018-6411) only applies when the form's file upload element is configured to use a WHITELIST ('allow') mode. Blacklist mode automatically adds dangerous extensions and is not directly bypassable via this vector alone; the bypass requires prior SQL injection access to flip the configuration. ↗
- ·The SQL injection payload uses the 'ap_users' table name with the 'ap_' prefix, which is the default MachForm table prefix (MF_TABLE_PREFIX). Installations using a custom table prefix will have different table names, affecting both exploitation and detection signatures. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
https://metalamin.github.io/MachForm-not-0-day-EN/https://www.exploit-db.com/exploits/44804/https://www.machform.com/blog-machform-423-security-release/https://metalamin.github.io/MachForm-not-0-day-EN/https://www.exploit-db.com/exploits/44804/https://www.machform.com/blog-machform-423-security-release/
2018-05-26
Published