cbcvebase.
CVE-2019-16113
published 2019-09-08

CVE-2019-16113: Bludit 3.9.2 allows remote code execution via bl-kernel/ajax/upload-images.php because PHP code can be entered with a .jpg file name, and then this PHP code…

PriorityP179high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
77.96%
99.5th percentile
Bludit 3.9.2 allows remote code execution via bl-kernel/ajax/upload-images.php because PHP code can be entered with a .jpg file name, and then this PHP code can write other PHP code to a ../ pathname.

Affected

1 ranges
VendorProductVersion rangeFixed in
bluditbludit

Detection & IOCsextracted from sources · hover to see the quote

path/admin/ajax/upload-images
path/bl-content/tmp/
path/bl-content/tmp/temp/evil.png
filename.htaccess
filenameevil.png
cookieBLUDIT-KEY
commanduuid=../../tmp
commanduuid=../../tmp/temp
commandRewriteEngine off AddType application/x-httpd-php .jpg
path/admin/ajax/upload-images
path/bl-content/tmp/
pathbl-kernel/ajax/upload-images.php
  • Detect POST requests to /admin/ajax/upload-images with a uuid parameter containing directory traversal sequences (e.g., ../../tmp)
  • Alert on upload of a .htaccess file via the image upload endpoint containing 'AddType application/x-httpd-php' to enable PHP execution of image files
  • Monitor for HTTP GET requests to /bl-content/tmp/*.jpg or /bl-content/tmp/*.png which may indicate webshell trigger attempts after exploitation
  • Detect the X-Requested-With: XMLHttpRequest header combined with multipart POST to /admin/ajax/upload-images as a characteristic of exploit tooling
  • Detect PHP code embedded in files with .jpg or .png extensions uploaded to the Bludit image upload endpoint
  • ·The directory traversal payload in the uuid parameter targets /bl-content/tmp by default, but the exploit can write to arbitrary server paths depending on the traversal depth used
  • ·The .htaccess bypass technique requires the Apache server to have AllowOverride enabled for the target directory; environments without this setting may not be exploitable via this method
  • ·The exploit affects Bludit versions >= 3.9.2; the Metasploit module specifically targets v3.9.2 but the directory traversal issue is present in later versions as well

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.