CVE-2021-43258
published 2022-11-23CVE-2021-43258: CartView.php in ChurchInfo 1.3.0 allows attackers to achieve remote code execution through insecure uploads. This requires authenticated access tot he…
PriorityP269high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
10.52%
95.2th percentile
CartView.php in ChurchInfo 1.3.0 allows attackers to achieve remote code execution through insecure uploads. This requires authenticated access tot he ChurchInfo application. Once authenticated, a user can add names to their cart, and compose an email. Uploading an attachment for the email stores the attachment on the site in the /tmp_attach/ folder where it can be accessed with a GET request. There are no limitations on files that can be attached, allowing for malicious PHP code to be uploaded and interpreted by the server.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| churchdb | churchinfo | 1.2.13 – 1.3.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttps://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/churchinfo_upload_exec.rb↗
- →Monitor for HTTP GET requests to the /tmp_attach/ directory on ChurchInfo web servers, which may indicate retrieval of a previously uploaded malicious file. ↗
- →Alert on PHP file uploads via CartView.php, particularly multipart POST requests to the cart/email draft functionality that include .php file attachments. ↗
- →Detect web server process execution (e.g. www-data) spawning child processes following a GET request to /tmp_attach/, which is indicative of server-side PHP execution of an uploaded payload. ↗
- ·The vulnerability affects ChurchInfo versions 1.2.13 through 1.3.0; scope detection rules accordingly. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2022-11-23
Published