CVE-2019-13294
published 2019-07-04CVE-2019-13294: AROX School-ERP Pro has a command execution vulnerability. import_stud.php and upload_fille.php do not have session control. Therefore an unauthenticated user…
PriorityP274critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
18.75%
96.9th percentile
AROX School-ERP Pro has a command execution vulnerability. import_stud.php and upload_fille.php do not have session control. Therefore an unauthenticated user can execute a command on the system.
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated POST requests to upload_fille.php with multipart/form-data containing a PHP file upload (field name 'txtdocname') — no valid session cookie required. ↗
- →Alert on HTTP 200 responses from upload_fille.php containing the string 'Successfully', indicating a successful unauthenticated PHP webshell upload. ↗
- →Monitor GET requests to /greatbritain/greatbritain/upload_data/*.php — this path is used to execute the uploaded PHP webshell after a successful upload. ↗
- →Session control functions on lines 8–10 of the vulnerable scripts are commented out with slashes, meaning any request without a session cookie should be treated as suspicious for these endpoints. ↗
- →Uploaded webshell filenames follow the pattern of 8 random lowercase alpha characters followed by .php (e.g., abcdefgh.php) — flag creation of such files under the upload_data directory. ↗
- ·The vulnerable upload and execution paths are hardcoded under the 'greatbritain/greatbritain/' subdirectory structure; detections should be scoped to this specific path prefix rather than generic PHP upload endpoints. ↗
- ·The exploit targets the PHP platform/architecture specifically; detections for webshell execution should focus on PHP process spawning from the web server context. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2019-07-04
Published