CVE-2019-19731
published 2019-12-16CVE-2019-19731: Roxy Fileman 1.4.5 for .NET is vulnerable to path traversal. A remote attacker can write uploaded files to arbitrary locations via the RENAMEFILE action. This…
PriorityP264high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EXPLOIT
EPSS
11.62%
95.5th percentile
Roxy Fileman 1.4.5 for .NET is vulnerable to path traversal. A remote attacker can write uploaded files to arbitrary locations via the RENAMEFILE action. This can be leveraged for code execution by uploading a specially crafted Windows shortcut file and writing the file to the Startup folder (because an incomplete blacklist of file extensions allows Windows shortcut files to be uploaded).
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| roxyfileman | roxy_fileman | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/wwwroot/fileman/asp_net/main.ashx?a=RENAMEFILE&f=%2Fwwwroot%2Ffileman%2FUploads%2FDocuments%2Fpoc.dat&n=../../../../../../../../AppData/Roaming/Microsoft/Windows/Start%20Menu/Programs/Startup/poc.txt.lnk↗
- →Detect POST requests to main.ashx with the 'a=RENAMEFILE' parameter where the 'n' value contains path traversal sequences (e.g., '../') — this is the core exploitation mechanism for arbitrary file write. ↗
- →Detect POST requests to main.ashx with 'a=UPLOAD' uploading files with double extensions (e.g., .txt.lnk or .dat masking .lnk) to bypass the incomplete extension blacklist. ↗
- →Alert on POST requests to main.ashx with 'a=CREATEDIR' containing path traversal sequences, as CREATEDIR is also vulnerable to path traversal and may be used to stage the attack. ↗
- →Monitor for .lnk files appearing in Windows Startup folder paths (AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/) written by the IIS worker process (w3wp.exe), which would indicate successful exploitation for persistence. ↗
- →Inspect multipart/form-data upload requests to Roxy Fileman for filenames with .lnk or double-extension patterns (e.g., .txt.lnk), as these bypass the default conf.json blacklist. ↗
- ·The default conf.json FORBIDDEN_UPLOADS blacklist does not include .lnk or .aspx extensions, allowing upload of Windows shortcut files and potentially ASP.NET webshells. ↗
- ·The RENAMEFILE, CREATEDIR, and COPYFILE actions in main.ashx all lack path validation, meaning all three endpoints are exploitable for path traversal — not just RENAMEFILE. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2019-12-16
Published