CVE-2019-9581
published 2019-03-06CVE-2019-9581: phpscheduleit Booked Scheduler 2.7.5 allows arbitrary file upload via the Favicon field, leading to execution of arbitrary Web/custom-favicon.php PHP code…
PriorityP264high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
13.49%
96.0th percentile
phpscheduleit Booked Scheduler 2.7.5 allows arbitrary file upload via the Favicon field, leading to execution of arbitrary Web/custom-favicon.php PHP code, because Presenters/Admin/ManageThemePresenter.php does not ensure an image file extension.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| twinkletoessoftware | booked | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Alert on any HTTP GET request to /Web/custom-favicon.php containing a 'cmd' query parameter, indicating webshell execution post-upload. ↗
- →Flag presence of the file custom-favicon.php in the web root of a Booked Scheduler installation; legitimate favicon files should not have a .php extension. ↗
- →Check HTTP response body for 'v2.7.5' on /Web/index.php to identify vulnerable Booked Scheduler instances (as used by the Metasploit check method). ↗
- →Monitor for CSRF token extraction pattern: response body splitting on 'CSRF_TOKEN" value=' followed immediately by a POST to manage_theme.php?action=update — indicative of automated exploit tooling. ↗
- →The vulnerable code path is Presenters/Admin/ManageThemePresenter.php — file integrity monitoring on this file can detect tampering or patching status. ↗
- ·Exploit requires valid authenticated credentials (admin-level) to reach the manage_theme.php upload endpoint; unauthenticated exploitation is not possible. ↗
- ·The Metasploit module defaults to SSL=false; deployments behind HTTPS may require SSL option adjustment for the module to function correctly. ↗
- ·The Metasploit module's TARGETURI defaults to '/' but the Python PoC hardcodes '/booked/' as the base path; actual path depends on server deployment configuration. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Booked Scheduler 2.7.5 - Remote Command Execution (RCE) (Authenticated)
exploitdb·2021-12-14·CVSS 8.8
CVE-2019-9581 [HIGH] Booked Scheduler 2.7.5 - Remote Command Execution (RCE) (Authenticated)
Booked Scheduler 2.7.5 - Remote Command Execution (RCE) (Authenticated)
---
# Exploit Title: Booked Scheduler 2.7.5 - Remote Command Execution (RCE) (Authenticated)
# Vulnerability founder: AkkuS
# Date: 13/12/2021
# Exploit Author: 0sunday
# Vendor Homepage: https://www.bookedscheduler.com/
# Software Link: N/A
# Version: Booked Scheduler 2.7.5
# Tester on: Kali 2021.2
# CVE: CVE-2019-9581
#!/usr/bin/python3
import sys
import requests
from random import randint
def login():
login_payload = {
"email": username,
"password": password,
"login": "submit",
#"language": "en_us"
}
login_req = request.post(
target+"/booked/Web/index.php",
login_payload,
verify=False,
allow_redirects=True
)
if login_req.status_code == 200:
print ("[+] Logged in successfully.")
else:
print ("[-] Wrong creden
Exploit-DB
Booked Scheduler 2.7.5 - Remote Command Execution (Metasploit)
exploitdb·2019-03-04
CVE-2019-9581 Booked Scheduler 2.7.5 - Remote Command Execution (Metasploit)
Booked Scheduler 2.7.5 - Remote Command Execution (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Booked Scheduler v2.7.5 - Remote Command Execution',
'Description' => %q{
This module exploits a file upload vulnerability Booked 2.7.5.
In the "Look and Feel" section of the management panel, you can modify the Logo-Favico-CSS files.
Upload sections has file extension control except favicon part.
You can upload the file with the extension you want through the Favicon field.
The file you upload is written to the main directory of the site under the name "custom-favicon".
After upload the php payload to the main directory, Exploit executes payload and receives she
No writeups or analysis indexed.
http://packetstormsecurity.com/files/165263/Booked-Scheduler-2.7.5-Shell-Upload.htmlhttps://pentest.com.tr/exploits/Booked-2-7-5-Remote-Command-Execution-Metasploit.htmlhttps://sourceforge.net/p/phpscheduleit/source/ci/c5a86a279d888bd4362e4b4f61acedc054f99c39/https://www.exploit-db.com/exploits/46486http://packetstormsecurity.com/files/165263/Booked-Scheduler-2.7.5-Shell-Upload.htmlhttps://pentest.com.tr/exploits/Booked-2-7-5-Remote-Command-Execution-Metasploit.htmlhttps://sourceforge.net/p/phpscheduleit/source/ci/c5a86a279d888bd4362e4b4f61acedc054f99c39/https://www.exploit-db.com/exploits/46486
2019-03-06
Published