cbcvebase.
CVE-2020-11819
published 2020-04-16

CVE-2020-11819: In Rukovoditel 2.5.2, an attacker may inject an arbitrary .php file location instead of a language file and thus achieve command execution.

PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
26.78%
97.8th percentile
In Rukovoditel 2.5.2, an attacker may inject an arbitrary .php file location instead of a language file and thus achieve command execution.

Affected

1 ranges
VendorProductVersion rangeFixed in
rukovoditelrukovoditel

Detection & IOCsextracted from sources · hover to see the quote

url/index.php?module=users/account&action=attachments_upload
url/index.php?module=users/account&action=update
pathuploads/attachments/<date>/<sha1hash>
pathuploads/users/<sha1hash>
cookiesid=<session_id>
commandfields[13]=../../uploads/attachments/<date>/<sha1hash>
commandfields[13]=../../uploads/users/<sha1hash>
commandfields[13]=english.php
  • Detect LFI exploitation attempt: monitor POST requests to index.php?module=users/account&action=update where the fields[13] parameter contains path traversal sequences (e.g., '../../') instead of a legitimate language filename like 'english.php'.
  • Detect arbitrary file upload to the attachments endpoint: monitor multipart POST requests to index.php?module=users/account&action=attachments_upload containing PHP files (e.g., Filedata field with a .php extension).
  • Detect PHP webshell/reverse shell content uploaded disguised as image files (e.g., PNG files with appended PHP code using proc_open, shell_exec, exec, popen, system, passthru, fsockopen).
  • Monitor GET requests to uploads/users/<sha1> or uploads/attachments/<date>/<sha1> paths that return HTTP 200 with PHP execution output, indicating successful LFI-to-RCE.
  • The exploit uses a predictable SHA1-based filename derived from server timestamp and original filename (e.g., sha1(epoch_timestamp + '_' + original_filename)). Alert on brute-force enumeration of uploads/users/ or uploads/attachments/ with sequential SHA1 hashes.
  • The attacker restores the language field to 'english.php' after exploitation to cover tracks. Correlate a fields[13] path-traversal update immediately followed by a revert to 'english.php' as a high-confidence attack sequence.
  • ·The exploit requires prior authentication (valid session cookie 'sid'). The attack surface is reduced if registration is disabled and credentials are not compromised, but the exploit author notes to check if the registration module is enabled as an initial access vector.
  • ·The uploaded file's SHA1 filename is derived from the server's Unix timestamp at upload time. The exploit brute-forces a ±52200-second window in 900-second steps, meaning detection of rapid sequential requests to the uploads directory is a reliable signal.
  • ·The verifyToken used during file upload is computed as md5(app_user_id + timestamp), where timestamp is attacker-controlled (hardcoded as 1337 in the shell exploit). Weak token validation enables the upload step.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.