CVE-2020-25763
published 2020-09-30CVE-2020-25763: Seat Reservation System version 1.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on…
PriorityP270critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
4.98%
91.1th percentile
Seat Reservation System version 1.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading PHP files.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| seat_reservation_system_project | seat_reservation_system | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests to 'admin/ajax.php?action=save_movie' containing a file upload with Content-Type 'application/php' — this is the unauthenticated file upload endpoint abused for RCE. ↗
- →Detect PHP webshell execution via the '?d3crypt=' query parameter in GET requests to uploaded files under the application's image/media directory. ↗
- →Alert on PHP files uploaded to the web root's image/cover directory — the exploit uploads a randomly named .php file disguised as a movie cover image. ↗
- →No authentication is required to reach the upload endpoint; flag any unauthenticated POST to save_movie that includes a file with a .php extension or application/php MIME type. ↗
- ·The exploit was tested specifically on Windows 10 + XAMPP 7.2.33-1; behavior on Linux-based stacks may differ slightly but the upload endpoint and webshell query parameter remain the same. ↗
- ·The webshell filename is 16 random alphanumeric characters followed by '.php', making static filename-based blocking ineffective — detection must focus on the upload path and MIME type instead. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/159260/Seat-Reservation-System-1.0-Shell-Upload.htmlhttp://seclists.org/fulldisclosure/2020/Sep/41https://packetstormsecurity.com/files/author/15149http://packetstormsecurity.com/files/159260/Seat-Reservation-System-1.0-Shell-Upload.htmlhttp://seclists.org/fulldisclosure/2020/Sep/41https://packetstormsecurity.com/files/author/15149
2020-09-30
Published