cbcvebase.
CVE-2019-7194
published 2019-12-05

CVE-2019-7194: This external control of file name or path vulnerability allows remote attackers to access or modify system files. To fix the vulnerability, QNAP recommend…

PriorityP196critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-06-22
Exploited in the wild
EPSS
82.97%
99.6th percentile
This external control of file name or path vulnerability allows remote attackers to access or modify system files. To fix the vulnerability, QNAP recommend updating Photo Station to their latest versions.

Affected

4 ranges
VendorProductVersion rangeFixed in
qnapphoto_station< 6.0.36.0.3
qnapphoto_station< 5.7.105.7.10
qnapphoto_station< 5.4.95.4.9
qnapphoto_station< 5.2.115.2.11

Detection & IOCsextracted from sources · hover to see the quote

url/photo/p/api/album.php
url/photo/slideshow.php
url/photo/p/api/video.php
url/cgi-bin/authLogin.cgi
url/cgi-bin/userConfig.cgi
path../../../../../share/Multimedia/.@__thumb/ps.app.token
path/mnt/ext/opt/photostation2/
cookieQMS_SID=../../../../../../../../../../mnt/ext/opt/photostation2/<dropper>.php
  • Detect path traversal sequences in the `filename` POST parameter to /photo/p/api/video.php targeting ps.app.token
  • Detect directory traversal sequences (../../) in the QMS_SID cookie value on requests to /photo/slideshow.php
  • Alert on unauthenticated POST to /photo/p/api/album.php with parameter a=setSlideshow&f=qsamplealbum as the first step of the exploit chain
  • Alert on POST to /cgi-bin/authLogin.cgi with app=PHOTO_STATION&auth=1&app_token= — indicates token-based auth abuse following LFI of ps.app.token
  • Alert on POST to /cgi-bin/userConfig.cgi with func=addPersonalSmtp used to inject a PHP payload via SMTP config field
  • HTTP 200 response containing 'NASVARS' string from /photo/<dropper>.php indicates successful PHP dropper execution
  • Module targets QNAP QTS 4.3.3 and QTS 4.3.6 with Photo Station 5.7.9; flag these version strings in banner/response fingerprinting
  • ·The exploit is a multi-step chain (7 HTTP requests); detection of any single step in isolation may produce false positives — correlate across the full sequence for high-fidelity alerting.
  • ·The dropper PHP filename is randomly generated (6 lowercase alpha chars); pattern-match on short random .php filenames under /photo/ rather than a fixed filename.
  • ·The QNAP HTTP server runs as root, meaning LFI can expose SSH private keys and password hashes — scope forensic investigation accordingly.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.