CVE-2015-5951
📋 TL;DR
This vulnerability allows attackers to upload arbitrary PHP files to the web root directory of Thomson Reuters FATCA software, enabling remote code execution. It affects FATCA versions before 5.2, potentially allowing complete system compromise. Organizations using vulnerable versions are at risk of data theft, system takeover, and lateral movement.
💻 Affected Systems
- Thomson Reuters FATCA
📦 What is this software?
Fatca by Thomsonreuters
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise leading to data exfiltration, ransomware deployment, backdoor installation, and lateral movement across the network.
Likely Case
Webshell installation allowing persistent access, credential theft, and data manipulation.
If Mitigated
Limited impact with proper network segmentation, file integrity monitoring, and web application firewalls blocking malicious uploads.
🎯 Exploit Status
Exploit requires authenticated access; multiple public exploit scripts available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.2
Vendor Advisory: https://www.thomsonreuters.com
Restart Required: Yes
Instructions:
1. Download FATCA version 5.2 or later from Thomson Reuters. 2. Backup current configuration and data. 3. Install the updated version following vendor instructions. 4. Restart the application and verify functionality.
🔧 Temporary Workarounds
File Upload Restriction
allConfigure web server to block PHP file uploads via the specid parameter
# Apache: Add to .htaccess
<FilesMatch "\.php$">
Deny from all
</FilesMatch>
# Nginx: Add to server block
location ~ \.php$ {
deny all;
}
Web Application Firewall
allDeploy WAF rules to block malicious file upload patterns
# ModSecurity rule
SecRule ARGS:specid "@rx \.php$" "id:1001,phase:2,deny,msg:'Block PHP upload via specid'"
🧯 If You Can't Patch
- Implement strict network segmentation to isolate FATCA servers from critical assets
- Deploy file integrity monitoring to detect unauthorized PHP file creation in web root
🔍 How to Verify
Check if Vulnerable:
Check if FATCA version is below 5.2 and test file upload functionality with PHP extension via specid parameterCheck Version:
Check application interface or configuration files for version informationVerify Fix Applied:
Verify version is 5.2 or higher and attempt to upload PHP file via specid parameter (should be blocked)📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads via specid parameter
- PHP file creation in web root directory
- POST requests to upload endpoints with PHP extensions
Network Indicators:
- HTTP POST requests containing .php files in specid parameter
- Unusual outbound connections from FATCA server
SIEM Query:
source="web_logs" AND (uri_path="*/upload*" OR uri_path="*/specid*") AND (file_extension="php" OR file_extension="phtml")🔗 References
- http://packetstormsecurity.com/files/133003/Thomson-Reuters-FATCA-Arbitrary-File-Upload.html
- http://seclists.org/fulldisclosure/2015/Aug/25
- http://www.securityfocus.com/archive/1/536163/100/0/threaded
- http://www.securityfocus.com/bid/76271
- https://seclists.org/bugtraq/2015/Aug/32
- http://packetstormsecurity.com/files/133003/Thomson-Reuters-FATCA-Arbitrary-File-Upload.html
- http://seclists.org/fulldisclosure/2015/Aug/25
- http://www.securityfocus.com/archive/1/536163/100/0/threaded
- http://www.securityfocus.com/bid/76271
- https://seclists.org/bugtraq/2015/Aug/32
