cbcvebase.
CVE-2019-19731
published 2019-12-16

CVE-2019-19731: Roxy Fileman 1.4.5 for .NET is vulnerable to path traversal. A remote attacker can write uploaded files to arbitrary locations via the RENAMEFILE action. This…

PriorityP264high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EXPLOIT
EPSS
11.62%
95.5th percentile
Roxy Fileman 1.4.5 for .NET is vulnerable to path traversal. A remote attacker can write uploaded files to arbitrary locations via the RENAMEFILE action. This can be leveraged for code execution by uploading a specially crafted Windows shortcut file and writing the file to the Startup folder (because an incomplete blacklist of file extensions allows Windows shortcut files to be uploaded).

Affected

1 ranges
VendorProductVersion rangeFixed in
roxyfilemanroxy_fileman

Detection & IOCsextracted from sources · hover to see the quote

url/wwwroot/fileman/asp_net/main.ashx?a=UPLOAD
url/wwwroot/fileman/asp_net/main.ashx?a=RENAMEFILE&f=%2Fwwwroot%2Ffileman%2FUploads%2FDocuments%2Fpoc.dat&n=../../../../../../../../AppData/Roaming/Microsoft/Windows/Start%20Menu/Programs/Startup/poc.txt.lnk
path/wwwroot/fileman/asp_net/main.ashx
commanda=RENAMEFILE
commanda=CREATEDIR
  • Detect POST requests to main.ashx with the 'a=RENAMEFILE' parameter where the 'n' value contains path traversal sequences (e.g., '../') — this is the core exploitation mechanism for arbitrary file write.
  • Detect POST requests to main.ashx with 'a=UPLOAD' uploading files with double extensions (e.g., .txt.lnk or .dat masking .lnk) to bypass the incomplete extension blacklist.
  • Alert on POST requests to main.ashx with 'a=CREATEDIR' containing path traversal sequences, as CREATEDIR is also vulnerable to path traversal and may be used to stage the attack.
  • Monitor for .lnk files appearing in Windows Startup folder paths (AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/) written by the IIS worker process (w3wp.exe), which would indicate successful exploitation for persistence.
  • Inspect multipart/form-data upload requests to Roxy Fileman for filenames with .lnk or double-extension patterns (e.g., .txt.lnk), as these bypass the default conf.json blacklist.
  • ·The default conf.json FORBIDDEN_UPLOADS blacklist does not include .lnk or .aspx extensions, allowing upload of Windows shortcut files and potentially ASP.NET webshells.
  • ·The RENAMEFILE, CREATEDIR, and COPYFILE actions in main.ashx all lack path validation, meaning all three endpoints are exploitable for path traversal — not just RENAMEFILE.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.