CVE-2018-11091
📋 TL;DR
This vulnerability allows attackers to upload malicious files to MyBiz MyProcureNet servers by manipulating the whitelist parameter. Attackers can upload scripts that execute operating system commands, potentially leading to server takeover. This affects MyBiz MyProcureNet version 5.0.0 installations.
💻 Affected Systems
- MyBiz MyProcureNet
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise with remote code execution, data theft, and lateral movement within the network.
Likely Case
Webshell deployment leading to persistent backdoor access, data exfiltration, and further exploitation.
If Mitigated
Limited impact with proper file upload validation and server hardening in place.
🎯 Exploit Status
Exploitation is straightforward - attackers can modify the HiddenFieldControlCustomWhiteListedExtensions parameter to add malicious file extensions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.0.1 or later
Vendor Advisory: https://www.sec-consult.com/en/blog/advisories/arbitrary-file-upload-cross-site-scripting-in-mybiz-myprocurenet/
Restart Required: Yes
Instructions:
1. Download the latest version from MyBiz vendor portal. 2. Backup current installation. 3. Apply the patch/upgrade. 4. Restart the application server. 5. Verify the fix by testing file upload functionality.
🔧 Temporary Workarounds
Disable file upload functionality
allTemporarily disable file upload features in MyProcureNet configuration
Edit web.config or application configuration to remove/disable upload modules
Implement WAF rules
allAdd web application firewall rules to block malicious file upload attempts
Add WAF rule: Block requests containing 'HiddenFieldControlCustomWhiteListedExtensions' parameter with suspicious values
🧯 If You Can't Patch
- Implement strict file extension validation at the application layer
- Deploy the application behind a reverse proxy with strict upload filtering
🔍 How to Verify
Check if Vulnerable:
Test if you can upload files with extensions like .asp, .php, .jsp by modifying the HiddenFieldControlCustomWhiteListedExtensions parameterCheck Version:
Check application version in admin panel or via application metadataVerify Fix Applied:
Attempt the same exploit after patching - should be blocked or rejected📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads with executable extensions
- Requests containing 'HiddenFieldControlCustomWhiteListedExtensions' parameter modifications
- Webshell access patterns in access logs
Network Indicators:
- POST requests to upload endpoints with unusual file extensions
- Traffic to unexpected ports from web server
SIEM Query:
source="web_logs" AND (uri_path="*upload*" AND (file_extension="asp" OR file_extension="php" OR file_extension="jsp"))🔗 References
- http://packetstormsecurity.com/files/155281/FreeBSD-Security-Advisory-FreeBSD-SA-19-26.mcu.html
- http://seclists.org/fulldisclosure/2018/May/32
- https://seclists.org/bugtraq/2019/Nov/16
- https://security.FreeBSD.org/advisories/FreeBSD-SA-19:26.mcu.asc
- https://www.sec-consult.com/en/blog/advisories/arbitrary-file-upload-cross-site-scripting-in-mybiz-myprocurenet/
- http://packetstormsecurity.com/files/155281/FreeBSD-Security-Advisory-FreeBSD-SA-19-26.mcu.html
- http://seclists.org/fulldisclosure/2018/May/32
- https://seclists.org/bugtraq/2019/Nov/16
- https://security.FreeBSD.org/advisories/FreeBSD-SA-19:26.mcu.asc
- https://www.sec-consult.com/en/blog/advisories/arbitrary-file-upload-cross-site-scripting-in-mybiz-myprocurenet/
