cbcvebase.
CVE-2020-8639
published 2020-04-03

CVE-2020-8639: An unrestricted file upload vulnerability in keywordsImport.php in TestLink 1.9.20 allows remote attackers to execute arbitrary code by uploading a file with…

PriorityP271high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
15.86%
96.5th percentile
An unrestricted file upload vulnerability in keywordsImport.php in TestLink 1.9.20 allows remote attackers to execute arbitrary code by uploading a file with an executable extension. This allows an authenticated attacker to upload a malicious file (containing PHP code to execute operating system commands) to a publicly accessible directory of the application.

Affected

1 ranges
VendorProductVersion rangeFixed in
testlinktestlink

Detection & IOCsextracted from sources · hover to see the quote

path/testlink/lib/keywords/keywordsImport.php
pathlogs/pwn.php
filenamepwn.php
command/../../../logs/pwn.php
urlhttp://127.0.0.1/testlink/lib/keywords/keywordsImport.php
command?c=whoami
  • Detect multipart POST requests to keywordsImport.php where the 'importType' field contains path traversal sequences (e.g., /../../../) and a .php extension, indicating an attempt to write a webshell outside the intended upload directory.
  • Alert on file uploads to keywordsImport.php where the uploaded file content contains PHP webshell patterns (e.g., system(), passthru(), or shell_exec() wrapped in PHP tags) despite the filename having a benign extension such as .xml.
  • Monitor for GET requests to logs/pwn.php with a query parameter 'c=' which is the webshell command execution interface dropped by this exploit.
  • Detect creation of .php files inside the TestLink logs/ directory, which is publicly accessible and should not contain executable PHP scripts.
  • Flag POST requests to /lib/keywords/keywordsImport.php originating from authenticated sessions (presence of TESTLINK1920TESTLINK_USER_AUTH_COOKIE) that include multipart form data with path traversal in the importType field.
  • ·Exploitation requires prior authentication; the attacker must have valid TestLink credentials before the file upload vulnerability can be triggered.
  • ·The exploit targets specifically TestLink version 1.9.20; detections should be scoped to environments running this version.
  • ·The webshell upload path (logs/pwn.php) is hardcoded in the public exploit but an attacker could trivially change the filename or traversal depth; detection should focus on the traversal pattern in importType rather than the specific filename.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.