CVE-2019-19576
published 2019-12-04CVE-2019-19576: class.upload.php in verot.net class.upload before 1.0.3 and 2.x before 2.0.4, as used in the K2 extension for Joomla! and other products, omits .phar from the…
PriorityP273critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
26.18%
97.7th percentile
class.upload.php in verot.net class.upload before 1.0.3 and 2.x before 2.0.4, as used in the K2 extension for Joomla! and other products, omits .phar from the set of dangerous file extensions.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| joomlaworks | k2 | <= 2.10.1 | — |
| verot | class.upload.php | >= 0 < 1.0.3 | 1.0.3 |
| verot | class.upload.php | 0 – 1.0.3 | — |
| verot | class.upload.php | >= 2.0.0 < 2.0.4 | 2.0.4 |
| verot | class.upload.php | 2.0.0 – 2.0.4 | — |
| verot_project | verot | < 1.0.3 | 1.0.3 |
| verot_project | verot | >= 2.0.0 < 2.0.4 | 2.0.4 |
Detection & IOCsextracted from sources · hover to see the quote
- →Flag file uploads where the final extension is .phar, especially when the filename also contains an image extension (e.g., .jpg.phar), as class.upload.php omits .phar from its dangerous extension blocklist. ↗
- →Detect polyglot JPEG/.phar files by inspecting uploaded files for a valid JPEG header (0xFF 0xD8) combined with embedded PHP code — the exploit searches for the JPEG SOS marker (0xFF 0xDA) and injects PHP payload bytes after it. ↗
- →Alert on web server requests to uploaded files with a .phar extension being executed via the PHP runtime, particularly under Joomla! K2 extension upload directories. ↗
- ·The bypass is version-specific: class.upload versions before 1.0.3 and 2.x before 2.0.4 are affected. Patched versions add .phar to the dangerous extensions list, so the upload block only applies to unpatched deployments. ↗
- ·The exploit relies on the target server treating .phar files as executable PHP. If the web server is not configured to execute .phar via the PHP handler, the RCE payload will not execute even if the file is successfully uploaded. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
ghsa9.8CRITICAL
osv9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
class.upload.php in verot.net omits .pht from the set of dangerous file extensions
ghsa·2020-02-28·CVSS 9.8
CVE-2019-19634 [CRITICAL] CWE-434 class.upload.php in verot.net omits .pht from the set of dangerous file extensions
class.upload.php in verot.net omits .pht from the set of dangerous file extensions
class.upload.php in verot.net class.upload through 1.0.3 and 2.x through 2.0.4, as used in the K2 extension for Joomla! and other products, omits .pht from the set of dangerous file extensions, a similar issue to CVE-2019-19576.
OSV
class.upload.php in verot.net omits .pht from the set of dangerous file extensions
osv·2020-02-28·CVSS 9.8
CVE-2019-19634 [CRITICAL] class.upload.php in verot.net omits .pht from the set of dangerous file extensions
class.upload.php in verot.net omits .pht from the set of dangerous file extensions
class.upload.php in verot.net class.upload through 1.0.3 and 2.x through 2.0.4, as used in the K2 extension for Joomla! and other products, omits .pht from the set of dangerous file extensions, a similar issue to CVE-2019-19576.
OSV
Remote code execution in verot/class.upload.php
osv·2020-01-16
CVE-2019-19576 [CRITICAL] Remote code execution in verot/class.upload.php
Remote code execution in verot/class.upload.php
class.upload.php in verot.net class.upload before 1.0.3 and 2.x before 2.0.4, as used in the K2 extension for Joomla! and other products, omits .phar from the set of dangerous file extensions.
GHSA
Remote code execution in verot/class.upload.php
ghsa·2020-01-16
CVE-2019-19576 [CRITICAL] CWE-434 Remote code execution in verot/class.upload.php
Remote code execution in verot/class.upload.php
class.upload.php in verot.net class.upload before 1.0.3 and 2.x before 2.0.4, as used in the K2 extension for Joomla! and other products, omits .phar from the set of dangerous file extensions.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/155577/Verot-2.0.3-Remote-Code-Execution.htmlhttps://github.com/getk2/k2/commit/d1344706c4b74c2ae7659b286b5a066117155124https://github.com/jra89/CVE-2019-19576https://github.com/verot/class.upload.php/commit/5a7505ddec956fdc9e9c071ae5089865559174f1https://github.com/verot/class.upload.php/commit/db1b4fe50c1754696970d8b437f07e7b94a7ebf2https://github.com/verot/class.upload.php/compare/1.0.2...1.0.3https://github.com/verot/class.upload.php/compare/2.0.3...2.0.4https://medium.com/%40jra8908/cve-2019-19576-e9da712b779https://www.verot.nethttps://www.verot.net/php_class_upload.htmhttp://packetstormsecurity.com/files/155577/Verot-2.0.3-Remote-Code-Execution.htmlhttps://github.com/getk2/k2/commit/d1344706c4b74c2ae7659b286b5a066117155124https://github.com/jra89/CVE-2019-19576https://github.com/verot/class.upload.php/commit/5a7505ddec956fdc9e9c071ae5089865559174f1https://github.com/verot/class.upload.php/commit/db1b4fe50c1754696970d8b437f07e7b94a7ebf2https://github.com/verot/class.upload.php/compare/1.0.2...1.0.3https://github.com/verot/class.upload.php/compare/2.0.3...2.0.4https://medium.com/%40jra8908/cve-2019-19576-e9da712b779https://www.verot.nethttps://www.verot.net/php_class_upload.htm
2019-12-04
Published