CVE-2019-18873
published 2019-11-12CVE-2019-18873: FUDForum 3.0.9 is vulnerable to Stored XSS via the User-Agent HTTP header. This may result in remote code execution. An attacker can use a user account to…
PriorityP260critical9CVSS 3.1
AVNACLPRLUIRSCCHIHAH
EXPLOIT
EPSS
8.15%
94.1th percentile
FUDForum 3.0.9 is vulnerable to Stored XSS via the User-Agent HTTP header. This may result in remote code execution. An attacker can use a user account to fully compromise the system via a GET request. When the admin visits user information under "User Manager" in the control panel, the payload will execute. This will allow for PHP files to be written to the web root, and for code to execute on the remote server. The problem is in admsession.php and admuser.php.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fudforum | fudforum | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect stored XSS exploitation via a malicious User-Agent HTTP header sent to FUDForum index.php; the payload is stored and fires when admin views 'Recent sessions' under User Manager. ↗
- →Monitor POST requests to /fudforum/adm/admbrowse.php with Content-Type multipart/form-data containing a filename with a .php extension and Content-Type application/x-php — this is the webshell upload step of the exploit chain. ↗
- →Alert on GET requests to the dropped webshell path /fudforum/liquidsky.php with a 'cmd' query parameter, indicating post-exploitation RCE activity. ↗
- →The vulnerable code paths are admsession.php (User-Agent logging) and admuser.php (admin user info display); review these files for unsanitised output of the User-Agent field. ↗
- →The powershell payload in the cmd parameter is URL-encoded; decode and alert on the presence of 'powershell -EncodedCommand' being passed via the cmd parameter to the dropped webshell. ↗
- ·The hardcoded webroot path in the exploit is Windows/XAMPP-specific; the actual upload destination will vary by server OS and FUDForum installation path. ↗
- ·The multipart boundary value is hardcoded in this PoC; real-world exploitation may use different boundary strings, so detection should not rely solely on this exact boundary value. ↗
- ·The XSS-to-RCE chain requires the admin to visit the 'User Manager' page after the malicious User-Agent is logged; exploitation is not immediate and depends on admin interaction. ↗
CVSS provenance
nvdv3.19.0CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
nvdv2.08.5HIGHAV:N/AC:M/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2019-11-12
Published