CVE-2020-8639
published 2020-04-03CVE-2020-8639: An unrestricted file upload vulnerability in keywordsImport.php in TestLink 1.9.20 allows remote attackers to execute arbitrary code by uploading a file with…
PriorityP271high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
15.86%
96.5th percentile
An unrestricted file upload vulnerability in keywordsImport.php in TestLink 1.9.20 allows remote attackers to execute arbitrary code by uploading a file with an executable extension. This allows an authenticated attacker to upload a malicious file (containing PHP code to execute operating system commands) to a publicly accessible directory of the application.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| testlink | testlink | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect multipart POST requests to keywordsImport.php where the 'importType' field contains path traversal sequences (e.g., /../../../) and a .php extension, indicating an attempt to write a webshell outside the intended upload directory. ↗
- →Alert on file uploads to keywordsImport.php where the uploaded file content contains PHP webshell patterns (e.g., system(), passthru(), or shell_exec() wrapped in PHP tags) despite the filename having a benign extension such as .xml. ↗
- →Monitor for GET requests to logs/pwn.php with a query parameter 'c=' which is the webshell command execution interface dropped by this exploit. ↗
- →Detect creation of .php files inside the TestLink logs/ directory, which is publicly accessible and should not contain executable PHP scripts. ↗
- →Flag POST requests to /lib/keywords/keywordsImport.php originating from authenticated sessions (presence of TESTLINK1920TESTLINK_USER_AUTH_COOKIE) that include multipart form data with path traversal in the importType field. ↗
- ·Exploitation requires prior authentication; the attacker must have valid TestLink credentials before the file upload vulnerability can be triggered. ↗
- ·The exploit targets specifically TestLink version 1.9.20; detections should be scoped to environments running this version. ↗
- ·The webshell upload path (logs/pwn.php) is hardcoded in the public exploit but an attacker could trivially change the filename or traversal depth; detection should focus on the traversal pattern in importType rather than the specific filename. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/161401/TestLink-1.9.20-Shell-Upload.htmlhttps://ackcent.com/blog/testlink-1.9.20-unrestricted-file-upload-and-sql-injection/https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/57d81ae350d569c5c95087997fe051c49e14516dhttp://packetstormsecurity.com/files/161401/TestLink-1.9.20-Shell-Upload.htmlhttps://ackcent.com/blog/testlink-1.9.20-unrestricted-file-upload-and-sql-injection/https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/57d81ae350d569c5c95087997fe051c49e14516d
2020-04-03
Published