CVE-2020-28337
published 2021-02-15CVE-2020-28337: A directory traversal issue in the Utils/Unzip module in Microweber through 1.1.20 allows an authenticated attacker to gain remote code execution via the…
PriorityP261high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
16.61%
96.6th percentile
A directory traversal issue in the Utils/Unzip module in Microweber through 1.1.20 allows an authenticated attacker to gain remote code execution via the backup restore feature. To exploit the vulnerability, an attacker must have the credentials of an administrative user, upload a maliciously constructed ZIP file with file paths including relative paths (i.e., ../../), move this file into the backup directory, and execute a restore on this file.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microweber | microweber | <= 1.1.20 | — |
| microweber | microweber | >= 0 < 1.2.3 | 1.2.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests to /api/user_login followed shortly by requests to /plupload and /api/Microweber/Utils/Backup/move_uploaded_file_to_backup — this sequence is the exploit chain for CVE-2020-28337. ↗
- →Alert on ZIP archive uploads containing path traversal sequences (../../) delivered to /plupload, as the exploit embeds '../../../../' prefixed paths inside the ZIP to escape the webroot. ↗
- →Detect POST requests to /api/Microweber/Utils/Backup/restore with an 'id' parameter matching a ZIP filename — this triggers unsafe extraction of the traversal payload. ↗
- →Detect HTTP requests to the dropped webshell that include the 'fexec' parameter, which is used to pass OS commands to shell_exec() in the default payload. ↗
- →Use the debug endpoint (GET /?debug=true) access pattern to identify attacker reconnaissance — the exploit uses it to resolve the absolute webroot path via DefaultController.php. ↗
- →The exploit moves the uploaded ZIP from /userfiles/media/{hostname}/ to the backup directory; monitor file move operations from that media path into backup directories. ↗
- ·SSL verification is disabled in the exploit by default; detections based on TLS inspection may not apply if the target is HTTP-only, but the exploit will work against HTTPS targets without certificate validation. ↗
- ·The exploit requires authenticated access with administrative credentials; detections should account for the fact that the attacker will have a valid session cookie before triggering the traversal. ↗
- ·The ZIP traversal depth is hardcoded to four levels (../../../../) based on the backup extraction path /storage/cache/backup_restore/; environments with different installation paths may require a different traversal depth. ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Zip slip in Microweber
ghsa·2022-02-10
CVE-2020-28337 [HIGH] CWE-22 Zip slip in Microweber
Zip slip in Microweber
A directory traversal issue in the Utils/Unzip module in Microweber through 1.1.20 allows an authenticated attacker to gain remote code execution via the backup restore feature. To exploit the vulnerability, an attacker must have the credentials of an administrative user, upload a maliciously constructed ZIP file with file paths including relative paths (i.e., ../../), move this file into the backup directory, and execute a restore on this file.
OSV
Zip slip in Microweber
osv·2022-02-10
CVE-2020-28337 [HIGH] Zip slip in Microweber
Zip slip in Microweber
A directory traversal issue in the Utils/Unzip module in Microweber through 1.1.20 allows an authenticated attacker to gain remote code execution via the backup restore feature. To exploit the vulnerability, an attacker must have the credentials of an administrative user, upload a maliciously constructed ZIP file with file paths including relative paths (i.e., ../../), move this file into the backup directory, and execute a restore on this file.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/162514/Microweber-CMS-1.1.20-Remote-Code-Execution.htmlhttps://github.com/microweber/microweber/commit/777ee9c3e7519eb3672c79ac41066175b2001b50https://sl1nki.page/advisories/CVE-2020-28337https://sl1nki.page/blog/2021/02/01/microweber-zip-sliphttp://packetstormsecurity.com/files/162514/Microweber-CMS-1.1.20-Remote-Code-Execution.htmlhttps://github.com/microweber/microweber/commit/777ee9c3e7519eb3672c79ac41066175b2001b50https://sl1nki.page/advisories/CVE-2020-28337https://sl1nki.page/blog/2021/02/01/microweber-zip-slip
2021-02-15
Published