CVE-2021-44664
published 2022-02-24CVE-2021-44664: An Authenticated Remote Code Exection (RCE) vulnerability exists in Xerte through 3.9 in website_code/php/import/fileupload.php by uploading a maliciously…
PriorityP268high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
12.78%
95.8th percentile
An Authenticated Remote Code Exection (RCE) vulnerability exists in Xerte through 3.9 in website_code/php/import/fileupload.php by uploading a maliciously crafted PHP file though the project interface disguised as a language file to bypasses the upload filters. Attackers can manipulate the files destination by abusing path traversal in the 'mediapath' variable.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| xerte | xerte | <= 3.9 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests to /website_code/php/import/fileupload.php containing a 'mediapath' parameter with path traversal sequences (e.g., '../') — this is the core exploitation vector for CVE-2021-44664. ↗
- →Alert on multipart file uploads to fileupload.php where the uploaded filename has a .inc or .php extension, especially when the Content-Type is application/octet-stream — the exploit disguises a PHP webshell as a language file. ↗
- →Watch for HTTP requests to the Xerte root with a 'cmd' query parameter (e.g., /?cmd=whoami) after a successful upload — this indicates webshell execution via the overwritten index.inc language file. ↗
- →Correlate a sequence of three POST requests: (1) to new_template.php, (2) to media_and_quota_template.php, and (3) to fileupload.php — this three-step pattern is the full exploit chain for CVE-2021-44664. ↗
- ·The PoC exploit assumes guest login is enabled on the Xerte instance. If guest login is disabled, an attacker must supply a valid authenticated PHPSESSID cookie. Detections based on unauthenticated access may miss attacks using stolen or brute-forced session IDs. ↗
- ·The exploit specifically targets the en-GB language file (index.inc). Installations using a different default language will have a different traversal target path, so path-based detections should be broadened to cover other language directories. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/166182/Xerte-3.9-Remote-Code-Execution.htmlhttps://github.com/thexerteproject/xerteonlinetoolkits/commit/1672d6f46bbd6f6d42f0903ce9a313927ae2836b#diff-27433bb0be90e431d40986f9afebe9ee2f8d1025a7f9e55c3cd7a86f1f8e3fdchttps://github.com/thexerteproject/xerteonlinetoolkits/commit/6daeb81d089d4a561e22f931fff1327660a7d1b5https://riklutz.nl/2021/11/03/authenticated-file-upload-to-remote-code-execution-in-xerte/http://packetstormsecurity.com/files/166182/Xerte-3.9-Remote-Code-Execution.htmlhttps://github.com/thexerteproject/xerteonlinetoolkits/commit/1672d6f46bbd6f6d42f0903ce9a313927ae2836b#diff-27433bb0be90e431d40986f9afebe9ee2f8d1025a7f9e55c3cd7a86f1f8e3fdchttps://github.com/thexerteproject/xerteonlinetoolkits/commit/6daeb81d089d4a561e22f931fff1327660a7d1b5https://riklutz.nl/2021/11/03/authenticated-file-upload-to-remote-code-execution-in-xerte/
2022-02-24
Published