cbcvebase.
CVE-2019-15813
published 2019-09-04

CVE-2019-15813: Multiple file upload restriction bypass vulnerabilities in Sentrifugo 3.2 could allow authenticated users to execute arbitrary code via a webshell.

PriorityP271high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
33.24%
98.2th percentile
Multiple file upload restriction bypass vulnerabilities in Sentrifugo 3.2 could allow authenticated users to execute arbitrary code via a webshell.

Affected

1 ranges
VendorProductVersion rangeFixed in
sentrifugosentrifugo

Detection & IOCsextracted from sources · hover to see the quote

url/sentrifugo/index.php/mydetails/documents
url/sentrifugo/index.php/policydocuments/add
url/sentrifugo/index.php/employeedocs/uploadsave
url/index.php/policydocuments/uploaddoc
path/sentrifugo/public/uploads/employeedocs/
path/public/uploads/policy_doc_temp/
filenameshell.php
otherContent-Type: application/x-httpd-php
command?cmd=cat /etc/passwd
  • Detect multipart file upload requests to /employeedocs/uploadsave or /policydocuments/uploaddoc where the Content-Type of the file part is 'application/x-httpd-php' — this indicates a MIME-type bypass attempt.
  • Alert on file uploads where the submitted filename contains a double extension pattern (e.g., shell.php.doc) or where the filename in the multipart body is altered to end in .php after initial submission.
  • Monitor HTTP GET/POST requests to /public/uploads/employeedocs/ or /public/uploads/policy_doc_temp/ for .php files, especially with query parameters like ?cmd= indicating webshell execution.
  • Detect POST requests to /public/uploads/policy_doc_temp/*.php with a 'cmd' POST parameter body, which is the webshell interaction pattern used by the automated exploit.
  • The uploaded webshell filename in the employeedocs path follows the pattern: <unix_timestamp>_<digit>_shell.php — monitor for numerically-prefixed .php files appearing in upload directories.
  • ·Exploitation requires an authenticated session; the attacker must first obtain valid credentials and log in via /index.php/index/loginpopupsave before uploading the webshell.
  • ·Two distinct upload endpoints are vulnerable with different permission requirements: /mydetails/documents requires any authenticated user, while /policydocuments/add requires higher (admin-level) permissions.
  • ·The policy_doc_temp upload path stores files temporarily; the exploit script attempts cleanup by deleting the webshell after use, so forensic artifacts in that path may be short-lived.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.