CVE-2020-27387
published 2020-11-05CVE-2020-27387: An unrestricted file upload issue in HorizontCMS through 1.0.0-beta allows an authenticated remote attacker (with access to the FileManager) to upload and…
PriorityP181high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
18.46%
96.9th percentile
An unrestricted file upload issue in HorizontCMS through 1.0.0-beta allows an authenticated remote attacker (with access to the FileManager) to upload and execute arbitrary PHP code by uploading a PHP payload, and then using the FileManager's rename function to provide the payload (which will receive a random name on the server) with the PHP extension, and finally executing the PHP file via an HTTP GET request to /storage/. NOTE: the vendor has patched this while leaving the version number at 1.0.0-beta.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| horizontcms_project | horizontcms | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for HTTP POST requests to /admin/file-manager/fileupload followed by a POST to /admin/file-manager/rename — this two-step sequence is characteristic of the Metasploit exploit module for CVE-2020-27387. ↗
- →Alert on HTTP GET requests to /storage/<filename> immediately after file upload/rename activity on HorizontCMS — this is the payload execution step. ↗
- →Detect upload of .htaccess or *.hello extension files via the HorizontCMS Media Files upload functionality, which can be used to bypass PHP extension filters and enable RCE. ↗
- →For linux/windows targets, the exploit uploads a PHP web shell and then delivers a staged payload via multiple HTTP GET requests to that shell — look for repeated GET requests to a newly uploaded file in /storage/. ↗
- ·Exploitation requires valid credentials for a HorizontCMS account in the Admin, Manager, or Editor group — this is the default configuration. Restrict FileManager access to reduce attack surface. ↗
- ·The original CVE-2020-27387 PHP extension block was bypassed (CVE-2021-28428) via .htaccess + arbitrary extension upload; blocking PHP extensions alone is insufficient — block .htaccess uploads as well. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-fmrq-56mh-96f5: An unrestricted file upload issue in HorizontCMS through 1
ghsa_unreviewed·2022-05-24
CVE-2020-27387 [HIGH] CWE-434 GHSA-fmrq-56mh-96f5: An unrestricted file upload issue in HorizontCMS through 1
An unrestricted file upload issue in HorizontCMS through 1.0.0-beta allows an authenticated remote attacker (with access to the FileManager) to upload and execute arbitrary PHP code by uploading a PHP payload, and then using the FileManager's rename function to provide the payload (which will receive a random name on the server) with the PHP extension, and finally executing the PHP file via an HTTP GET request to /storage/. NOTE: the vendor has patched this while leaving the version number at 1.0.0-beta.
GHSA
GHSA-cm95-9q8x-72h6: File upload vulnerability in HorizontCMS before 1
ghsa_unreviewed·2022-04-06·CVSS 8.8
CVE-2021-28428 [HIGH] CWE-434 GHSA-cm95-9q8x-72h6: File upload vulnerability in HorizontCMS before 1
File upload vulnerability in HorizontCMS before 1.0.0-beta.3 via uploading a .htaccess and *.hello files using the Media Files upload functionality. The original file upload vulnerability (CVE-2020-27387) was remediated by restricting the PHP extensions; however, we confirmed that the filter was bypassed via uploading an arbitrary .htaccess and *.hello files in order to execute PHP code to gain RCE.
VulnCheck
horizontcms_project horizontcms Unrestricted Upload of File with Dangerous Type
vulncheck·2020·CVSS 8.8
CVE-2020-27387 [HIGH] horizontcms_project horizontcms Unrestricted Upload of File with Dangerous Type
horizontcms_project horizontcms Unrestricted Upload of File with Dangerous Type
An unrestricted file upload issue in HorizontCMS through 1.0.0-beta allows an authenticated remote attacker (with access to the FileManager) to upload and execute arbitrary PHP code by uploading a PHP payload, and then using the FileManager's rename function to provide the payload (which will receive a random name on the server) with the PHP extension, and finally executing the PHP file via an HTTP GET request to /storage/. NOTE: the vendor has patched this while leaving the version number at 1.0.0-beta.
Affected: horizontcms_project horizontcms
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploita
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/160046/HorizontCMS-1.0.0-beta-Shell-Upload.htmlhttps://blog.vonahi.io/whats-in-a-re-name/https://github.com/rapid7/metasploit-framework/pull/14340https://github.com/ttimot24/HorizontCMS/commit/436b5ab679fd27afa3d99c023dbe103113da4feehttp://packetstormsecurity.com/files/160046/HorizontCMS-1.0.0-beta-Shell-Upload.htmlhttps://blog.vonahi.io/whats-in-a-re-name/https://github.com/rapid7/metasploit-framework/pull/14340https://github.com/ttimot24/HorizontCMS/commit/436b5ab679fd27afa3d99c023dbe103113da4fee
2020-11-05
Published
Exploited in the wild