CVE-2019-11447
published 2019-04-22CVE-2019-11447: An issue was discovered in CutePHP CuteNews 2.1.2. An attacker can infiltrate the server through the avatar upload process in the profile area via the…
PriorityP185high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
52.90%
98.8th percentile
An issue was discovered in CutePHP CuteNews 2.1.2. An attacker can infiltrate the server through the avatar upload process in the profile area via the avatar_file field to index.php?mod=main&opt=personal. There is no effective control of $imgsize in /core/modules/dashboard.php. The header content of a file can be changed and the control can be bypassed for code execution. (An attacker can use the GIF header for this.)
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cutephp | cutenews | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
GIF8;
bytes↗
GIF
- →Detect multipart POST to index.php containing avatar_file field with a PHP filename and a GIF magic-byte header prefix — this is the core upload bypass technique. ↗
- →Alert on HTTP GET or POST requests to /CuteNews/uploads/avatar_*.php — successful exploitation results in a PHP webshell accessible at this path. ↗
- →Monitor POST requests to index.php?mod=main&opt=personal with a multipart body containing a .php filename in the avatar_file part — indicates active exploitation attempt. ↗
- →Watch for rapid sequential registration followed by profile update (avatar upload) from the same session/IP — the exploit registers a throwaway user then immediately uploads the webshell. ↗
- →Detect unauthenticated or newly-registered user access to /CuteNews/cdata/users/lines — the exploit harvests SHA-256 password hashes from this endpoint. ↗
- →Flag POST requests to index.php with action=register followed by a regemail matching the pattern *@hack.me — used by the public PoC exploit. ↗
- →Inspect uploaded image files in the avatar directory for GIF magic bytes (GIF8;) prepended to PHP code — the bypass relies on this header to pass the imgsize check. ↗
- ·The vulnerable code path is in /core/modules/dashboard.php where $imgsize is not properly controlled — patching or WAF rules should target this file's avatar upload handling. ↗
- ·No admin privileges are required to exploit this vulnerability — any ordinary registered user can trigger the upload and achieve RCE. ↗
- ·The Metasploit module targets CuteNews versions strictly below 2.1.3; version detection is based on the version string in the index.php response body. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8rcx-6793-p6gv: An issue was discovered in CutePHP CuteNews 2
ghsa_unreviewed·2022-05-24
CVE-2019-11447 [HIGH] CWE-434 GHSA-8rcx-6793-p6gv: An issue was discovered in CutePHP CuteNews 2
An issue was discovered in CutePHP CuteNews 2.1.2. An attacker can infiltrate the server through the avatar upload process in the profile area via the avatar_file field to index.php?mod=main&opt=personal. There is no effective control of $imgsize in /core/modules/dashboard.php. The header content of a file can be changed and the control can be bypassed for code execution. (An attacker can use the GIF header for this.)
VulnCheck
cutephp cutenews Unrestricted Upload of File with Dangerous Type
vulncheck·2019·CVSS 8.8
CVE-2019-11447 [HIGH] cutephp cutenews Unrestricted Upload of File with Dangerous Type
cutephp cutenews Unrestricted Upload of File with Dangerous Type
An issue was discovered in CutePHP CuteNews 2.1.2. An attacker can infiltrate the server through the avatar upload process in the profile area via the avatar_file field to index.php?mod=main&opt=personal. There is no effective control of $imgsize in /core/modules/dashboard.php. The header content of a file can be changed and the control can be bypassed for code execution. (An attacker can use the GIF header for this.)
Affected: cutephp cutenews
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://blogs.juniper.net/en-us/threat-research/everything-but-the-kitchen-sink-more-attacks-from-the
No detection rules found.
Exploit-DB
CuteNews 2.1.2 - Remote Code Execution
exploitdb·2020-09-10·CVSS 8.8
CVE-2019-11447 [HIGH] CuteNews 2.1.2 - Remote Code Execution
CuteNews 2.1.2 - Remote Code Execution
---
# Exploit Title: CuteNews 2.1.2 - Remote Code Execution
# Google Dork: N/A
# Date: 2020-09-10
# Exploit Author: Musyoka Ian
# Vendor Homepage: https://cutephp.com/cutenews/downloading.php
# Software Link: https://cutephp.com/cutenews/downloading.php
# Version: CuteNews 2.1.2
# Tested on: Ubuntu 20.04, CuteNews 2.1.2
# CVE : CVE-2019-11447
#! /bin/env python3
import requests
from base64 import b64decode
import io
import re
import string
import random
import sys
banner = """
_____ __ _ __ ___ ___ ___
/ ___/_ __/ /____ / |/ /__ _ _____ |_ | ] Usage python3 expoit.py")
print ()
sess = requests.session()
payload = "GIF8;\n"
ip = input("Enter the URL> ")
def extract_credentials():
global sess, ip
url = f"{ip}/CuteNews/cdata/users/lines"
encoded_
Exploit-DB
CuteNews 2.1.2 - 'avatar' Remote Code Execution (Metasploit)
exploitdb·2019-04-15
CVE-2019-11447 CuteNews 2.1.2 - 'avatar' Remote Code Execution (Metasploit)
CuteNews 2.1.2 - 'avatar' Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule "CuteNews 2.1.2 - 'avatar' Remote Code Execution",
'Description' => %q(
This module exploits a command execution vulnerability in CuteNews prior to 2.1.2.
The attacker can infiltrate the server through the avatar upload process in the profile area.
There is no realistic control of the $imgsize function in "/core/modules/dashboard.php"
Header content of the file can be changed and the control can be bypassed.
We can use the "GIF" header for this process.
An ordinary user is enough to exploit the vulnerability. No need for admin user.
The module creates a file for yo
No writeups or analysis indexed.
http://packetstormsecurity.com/files/159134/CuteNews-2.1.2-Remote-Code-Execution.htmlhttp://pentest.com.tr/exploits/CuteNews-2-1-2-Remote-Code-Execution-Metasploit.htmlhttps://www.exploit-db.com/exploits/46698/http://packetstormsecurity.com/files/159134/CuteNews-2.1.2-Remote-Code-Execution.htmlhttp://pentest.com.tr/exploits/CuteNews-2-1-2-Remote-Code-Execution-Metasploit.htmlhttps://www.exploit-db.com/exploits/46698/
2019-04-22
Published
Exploited in the wild