cbcvebase.
CVE-2018-6411
published 2018-05-26

CVE-2018-6411: An issue was discovered in Appnitro MachForm before 4.2.3. When the form is set to filter a blacklist, it automatically adds dangerous extensions to the…

PriorityP261critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
5.88%
92.3th percentile
An issue was discovered in Appnitro MachForm before 4.2.3. When the form is set to filter a blacklist, it automatically adds dangerous extensions to the filters. If the filter is set to a whitelist, the dangerous extensions can be bypassed through ap_form_elements SQL Injection.

Affected

1 ranges
VendorProductVersion rangeFixed in
machformmachform

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://[URL]/[Machform_folder]/download.php?q=ZWw9IChTRUxFQ1QgMSBGUk9NKFNFTEVDVCBDT1VOVCgqKSxDT05DQVQoMHgyMDIwLChTRUxFQ1QgTUlEKCh1c2VyX2VtYWlsKSwxLDUwKSBGUk9NIGFwX3VzZXJzIE9SREVSIEJZIHVzZXJfaWQgTElNSVQgMCwxKSwweDIwMjAsRkxPT1IoUkFORCgwKSoyKSl4IEZST00gSU5GT1JNQVRJT05fU0NIRU1BLkNIQVJBQ1RFUl9TRVRTIEdST1VQIEJZIHgpYSkgOyZpZD0xJmhhc2g9MSZmb3JtX2lkPTE=
path/data/form_58009/files/
commandupdate ap_form_elements set element_file_type_list="php", element_file_block_or_allow="a" where form_id=58009 and element_id=4;
  • Alert on SQL UPDATE statements targeting the 'ap_form_elements' table that set 'element_file_block_or_allow' to 'a' (allow) and 'element_file_type_list' to dangerous extensions such as 'php', indicating whitelist bypass for arbitrary file upload.
  • Use Google dorks to identify exposed MachForm instances: search for 'machform' combined with inurl:"view.php" or inurl:"embed.php" to find potentially vulnerable deployments.
  • Monitor web server access logs for GET requests to the /data/form_*/files/ directory path, which is where uploaded webshells would be stored and executed after a successful upload bypass.
  • ·The file upload filter bypass (CVE-2018-6411) only applies when the form's file upload element is configured to use a WHITELIST ('allow') mode. Blacklist mode automatically adds dangerous extensions and is not directly bypassable via this vector alone; the bypass requires prior SQL injection access to flip the configuration.
  • ·The SQL injection payload uses the 'ap_users' table name with the 'ap_' prefix, which is the default MachForm table prefix (MF_TABLE_PREFIX). Installations using a custom table prefix will have different table names, affecting both exploitation and detection signatures.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.