CVE-2019-18951
published 2019-11-13CVE-2019-18951: SibSoft Xfilesharing through 2.5.1 allows op=page&tmpl=../ directory traversal to read arbitrary files.
PriorityP263high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
19.78%
97.1th percentile
SibSoft Xfilesharing through 2.5.1 allows op=page&tmpl=../ directory traversal to read arbitrary files.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sibsoft | xfilesharing | <= 2.5.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for multipart file upload POST requests to /cgi-bin/up.cgi with a 'sid' parameter, which controls the upload subdirectory and can be path-traversed (e.g., sid=../../../../../../tmp) to place files outside the intended temp directory. ↗
- →Detect LFI exploitation attempts via the 'tmpl' parameter in requests to /?op=page — path traversal sequences (../../) targeting .html files indicate active exploitation of CVE-2019-18951. ↗
- →Alert on GET requests to /cgi-bin/temp/ paths containing uploaded .php files, which indicates successful arbitrary file upload and potential webshell access. ↗
- →The exploit chain combines file upload (CVE-2019-18952) with LFI (CVE-2019-18951): an .html file containing shortcodes is uploaded to /tmp via sid path traversal, then included via the tmpl parameter to achieve RCE. ↗
- →Use the Google dork 'inurl:/?op=registration' to identify exposed Xfilesharing instances for proactive asset discovery. ↗
- ·The .html extension is hard-coded server-side for LFI template inclusion; only files with the .html extension can be included via the tmpl parameter, meaning the attacker must upload an .html file (not .php) for the LFI stage of the RCE chain. ↗
- ·RCE requires chaining both CVE-2019-18952 (arbitrary file upload) and CVE-2019-18951 (LFI); neither vulnerability alone achieves code execution. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-qwjm-gcr8-gjhw: SibSoft Xfilesharing through 2
ghsa_unreviewed·2022-05-24
CVE-2019-18951 [MEDIUM] GHSA-qwjm-gcr8-gjhw: SibSoft Xfilesharing through 2
SibSoft Xfilesharing through 2.5.1 allows op=page&tmpl=../ directory traversal to read arbitrary files.
GHSA
GHSA-24p5-6g2r-2gc4: SibSoft Xfilesharing through 2
ghsa_unreviewed·2022-05-24·CVSS 7.5
CVE-2019-18952 [HIGH] GHSA-24p5-6g2r-2gc4: SibSoft Xfilesharing through 2
SibSoft Xfilesharing through 2.5.1 allows cgi-bin/up.cgi arbitrary file upload. This can be combined with CVE-2019-18951 to achieve remote code execution via a .html file, containing short codes, that is served over HTTP.
VulnCheck
sibsoft xfilesharing Unrestricted Upload of File with Dangerous Type
vulncheck·2019·CVSS 7.5
CVE-2019-18952 [HIGH] sibsoft xfilesharing Unrestricted Upload of File with Dangerous Type
sibsoft xfilesharing Unrestricted Upload of File with Dangerous Type
SibSoft Xfilesharing through 2.5.1 allows cgi-bin/up.cgi arbitrary file upload. This can be combined with CVE-2019-18951 to achieve remote code execution via a .html file, containing short codes, that is served over HTTP.
Affected: sibsoft xfilesharing
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://blog.checkpoint.com/security/december-2021s-most-wanted-malware-trickbot-emotet-and-the-log4j-plague/; https://blog.checkpoint.com/security/april-2022s-most-wanted-malware-a-shake-up-in-the-index-but-emotet-is-still-on-top/; https://blog.checkpoint.com/security/april-2024s-most-wanted
No detection rules found.
Exploit-DB
Xfilesharing 2.5.1 - Arbitrary File Upload
exploitdb·2019-11-14·CVSS 7.5
CVE-2019-18951 [HIGH] Xfilesharing 2.5.1 - Arbitrary File Upload
Xfilesharing 2.5.1 - Arbitrary File Upload
---
# Exploit Title: Xfilesharing 2.5.1 - Arbitrary File Upload
# Google Dork: inurl:/?op=registration
# Date: 2019-11-4
# Exploit Author: Noman Riffat
# Vendor Homepage: https://sibsoft.net/xfilesharing.html
# Version:
Shell : http://xyz.com/cgi-bin/temp/joe/shell.php
####################
Local File Inclusion
####################
http://xyz.com/?op=page&tmpl=../../admin_settings
This URL will fetch "admin_settings.html" template without any authentication. The ".html" extension is hard coded on the server so the included file must be with html extension anywhere on the server. You can even merge LFI with Arbitrary File Upload vulnerability by uploading an html file i.e. "upload.html" and changing the "sid" to "../../../../../../tmp" and
Nuclei
Xfilesharing 2.5.1 - Arbitrary File Upload
nuclei·CVSS 7.5
CVE-2019-18952 [HIGH] Xfilesharing 2.5.1 - Arbitrary File Upload
Xfilesharing 2.5.1 - Arbitrary File Upload
SibSoft Xfilesharing through 2.5.1 allows cgi-bin/up.cgi arbitrary file upload.This can be combined with CVE-2019-18951 to achieve remote code execution via a .html file, containing short codes, that is served over HTTP.
Template:
id: CVE-2019-18952
info:
name: Xfilesharing 2.5.1 - Arbitrary File Upload
author: daffainfo
severity: critical
description: |
SibSoft Xfilesharing through 2.5.1 allows cgi-bin/up.cgi arbitrary file upload.This can be combined with CVE-2019-18951 to achieve remote code execution via a .html file, containing short codes, that is served over HTTP.
remediation: |
Apply the latest security patches and updates from the vendor to address this vulnerability.
impact:
Attackers can upload malicious files and execute arbitrary
No writeups or analysis indexed.
http://packetstormsecurity.com/files/155324/Xfilesharing-2.5.1-Local-File-Inclusion-Shell-Upload.htmlhttps://gist.github.com/pak0s/af9f640170aed335fdf6d110d468dbcehttp://packetstormsecurity.com/files/155324/Xfilesharing-2.5.1-Local-File-Inclusion-Shell-Upload.htmlhttps://gist.github.com/pak0s/af9f640170aed335fdf6d110d468dbce
2019-11-13
Published