CVE-2021-27513
published 2021-02-22CVE-2021-27513: The module admin_ITSM in EyesOfNetwork 5.3-10 allows remote authenticated users to upload arbitrary .xml.php files because it relies on "le filtre userside."
PriorityP265high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
28.39%
97.9th percentile
The module admin_ITSM in EyesOfNetwork 5.3-10 allows remote authenticated users to upload arbitrary .xml.php files because it relies on "le filtre userside."
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| eyesofnetwork | eyesofnetwork | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/module/admin_itsm/ajax.php
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible EyesOfNetwork Remote File Upload with PHP WebShell Inbound (CVE-2021-27513)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/module/admin_itsm/ajax.php"; http.request_body; content:"|0d 0a 0d 0a|<?php"; fast_pattern; content:"name=|22|itsm_type_request|22|"; distance:0; reference:cve,2021-27513; classtype:attempted-admin; sid:2034160; rev:1; metadata:attack_target Server, created_at 2021_10_09, cve CVE_2021_27513, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2021_10_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
bytes
|0d 0a 0d 0a|<?php
- →Detect exploit attempts by monitoring for HTTP POST requests to /module/admin_itsm/ajax.php containing a PHP webshell payload (CRLF+CRLF followed by <?php) and the multipart field name 'itsm_type_request' in the request body.
- →Alert on uploads of double-extension files (.xml.php) to the admin_ITSM module, which bypass the client-side filter ('le filtre userside') to achieve remote code execution. ↗
- ·The file upload filter is enforced client-side only ('le filtre userside'), meaning server-side validation is absent and the restriction can be trivially bypassed by any authenticated user. ↗
- ·The Snort/Suricata rule (sid:2034160) is rated confidence Medium; tune accordingly in high-noise environments.
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-42ff-q9r4-9fgc: The module admin_ITSM in EyesOfNetwork 5
ghsa_unreviewed·2022-05-24
CVE-2021-27513 [HIGH] CWE-434 GHSA-42ff-q9r4-9fgc: The module admin_ITSM in EyesOfNetwork 5
The module admin_ITSM in EyesOfNetwork 5.3-10 allows remote authenticated users to upload arbitrary .xml.php files because it relies on "le filtre userside."
GHSA
GHSA-v598-3w4j-2787: EyesOfNetwork 5
ghsa_unreviewed·2022-05-24·CVSS 8.8
CVE-2021-27514 [HIGH] CWE-307 GHSA-v598-3w4j-2787: EyesOfNetwork 5
EyesOfNetwork 5.3-10 uses an integer of between 8 and 10 digits for the session ID, which might be leveraged for brute-force authentication bypass (such as in CVE-2021-27513 exploitation).
Suricata
ET EXPLOIT Possible EyesOfNetwork Remote File Upload with PHP WebShell Inbound (CVE-2021-27513)
suricata·2021-10-09·CVSS 8.8
CVE-2021-27513 [HIGH] ET EXPLOIT Possible EyesOfNetwork Remote File Upload with PHP WebShell Inbound (CVE-2021-27513)
ET EXPLOIT Possible EyesOfNetwork Remote File Upload with PHP WebShell Inbound (CVE-2021-27513)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible EyesOfNetwork Remote File Upload with PHP WebShell Inbound (CVE-2021-27513)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/module/admin_itsm/ajax.php"; http.request_body; content:"|0d 0a 0d 0a|<?php"; fast_pattern; content:"name=|22|itsm_type_request|22|"; distance:0; reference:cve,2021-27513; classtype:attempted-admin; sid:2034160; rev:1; metadata:attack_target Server, created_at 2021_10_09, cve CVE_2021_27513, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2021_10_09, mitre_tactic_id TA0001, mitre_tactic_name Initi
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/ArianeBlow/exploit-eyesofnetwork5.3.10/blob/main/PoC-BruteForceID-arbitraty-file-upload-RCE-PrivEsc.pyhttps://github.com/EyesOfNetworkCommunity/eonweb/issues/87https://github.com/ArianeBlow/exploit-eyesofnetwork5.3.10/blob/main/PoC-BruteForceID-arbitraty-file-upload-RCE-PrivEsc.pyhttps://github.com/EyesOfNetworkCommunity/eonweb/issues/87
2021-02-22
Published