CVE-2019–19634 (Arbitrary file upload in class.upload.php)

Jinny Ramsmark
Dec 8, 2019 · 1 min read

class.upload.php <= 2.0.4 Arbitrary file upload

Vendor: https://www.verot.net/

Product: class.upload.php

PoC github: https://github.com/jra89/CVE-2019–19634

CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019–19634

This is basically the exact same thing again as with CVE-2019–19576. I took another look after the patch was released and realized that there are other PHP extensions out there, in this case on Debian/Ubuntu with PHP5 that this library does not blacklist. So I installed PHP5 on Ubuntu and tested it, and the same thing went through. Both Verot and K2/JoomlaWorks have released patches and agreed to release this new CVE.

So this is a bit of a shorter text, but there are a bunch of more coming up (That are currently within the 90 days responsible disclosure timeline, plus some Vendors that have asked for extended time).

Jinny Ramsmark

Written by

I program, hack, and write odd stories. I currently work for an IT-security company called Defensify.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade