CVE-2019-15813
published 2019-09-04CVE-2019-15813: Multiple file upload restriction bypass vulnerabilities in Sentrifugo 3.2 could allow authenticated users to execute arbitrary code via a webshell.
PriorityP271high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
33.24%
98.2th percentile
Multiple file upload restriction bypass vulnerabilities in Sentrifugo 3.2 could allow authenticated users to execute arbitrary code via a webshell.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sentrifugo | sentrifugo | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect multipart file upload requests to /employeedocs/uploadsave or /policydocuments/uploaddoc where the Content-Type of the file part is 'application/x-httpd-php' — this indicates a MIME-type bypass attempt. ↗
- →Alert on file uploads where the submitted filename contains a double extension pattern (e.g., shell.php.doc) or where the filename in the multipart body is altered to end in .php after initial submission. ↗
- →Monitor HTTP GET/POST requests to /public/uploads/employeedocs/ or /public/uploads/policy_doc_temp/ for .php files, especially with query parameters like ?cmd= indicating webshell execution. ↗
- →Detect POST requests to /public/uploads/policy_doc_temp/*.php with a 'cmd' POST parameter body, which is the webshell interaction pattern used by the automated exploit. ↗
- →The uploaded webshell filename in the employeedocs path follows the pattern: <unix_timestamp>_<digit>_shell.php — monitor for numerically-prefixed .php files appearing in upload directories. ↗
- ·Exploitation requires an authenticated session; the attacker must first obtain valid credentials and log in via /index.php/index/loginpopupsave before uploading the webshell. ↗
- ·Two distinct upload endpoints are vulnerable with different permission requirements: /mydetails/documents requires any authenticated user, while /policydocuments/add requires higher (admin-level) permissions. ↗
- ·The policy_doc_temp upload path stores files temporarily; the exploit script attempts cleanup by deleting the webshell after use, so forensic artifacts in that path may be short-lived. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Sentrifugo 3.2 - File Upload Restriction Bypass (Authenticated)
exploitdb·2020-10-27·CVSS 8.8
CVE-2019-15813 [HIGH] Sentrifugo 3.2 - File Upload Restriction Bypass (Authenticated)
Sentrifugo 3.2 - File Upload Restriction Bypass (Authenticated)
---
# Exploit Title: Sentrifugo 3.2 - File Upload Restriction Bypass (Authenticated)
# Date: 26/10/2020
# Exploit Author: Gurkirat Singh
# Vendor Homepage: http://www.sentrifugo.com/
# POC Link: https://www.exploit-db.com/exploits/47323
# Version: 3.2
# Tested on: Linux and Windows
# CVE : CVE-2019-15813
# Contact Details: https://google.com/search?q=tbhaxor
from argparse import ArgumentParser, RawTextHelpFormatter
from bs4 import BeautifulSoup, Tag
from requests.sessions import Session
import tempfile as tmp
import os.path as path
import random
import string
from huepy import *
parser = ArgumentParser(description="Exploit for CVE-2019-15813",
formatter_class=RawTextHelpFormatter)
parser.add_argument("--target",
"-t",
help
Exploit-DB
Sentrifugo 3.2 - File Upload Restriction Bypass
exploitdb·2019-08-30·CVSS 8.8
CVE-2019-15813 [HIGH] Sentrifugo 3.2 - File Upload Restriction Bypass
Sentrifugo 3.2 - File Upload Restriction Bypass
---
# Exploit Title: Sentrifugo 3.2 - File Upload Restriction Bypass
# Google Dork: N/A
# Date: 8/29/2019
# Exploit Author: creosote
# Vendor Homepage: http://www.sentrifugo.com/
# Version: 3.2
# Tested on: Ubuntu 18.04
# CVE : CVE-2019-15813
Multiple File Upload Restriction Bypass vulnerabilities were found in Sentrifugo 3.2. This allows for an authenticated user to potentially obtain RCE via webshell.
File upload bypass locations:
/sentrifugo/index.php/mydetails/documents -- Self Service >> My Details >> Documents (any permissions needed)
sentrifugo/index.php/policydocuments/add -- Organization >> Policy Documents (higher permissions needed)
# POC
1. Self Service >> My Details >> Documents >> add New Document (/sentrifugo/index.php/
No writeups or analysis indexed.
2019-09-04
Published