CVE-2018-13981
📋 TL;DR
This vulnerability allows unauthenticated attackers to upload malicious PHP files with .php5 or .phtml extensions to websites built with Zeta Producer Desktop CMS, leading to remote code execution. It affects websites using the default formmailer widget in vulnerable versions. Attackers can gain full control of affected web servers.
💻 Affected Systems
- Zeta Producer Desktop CMS
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the web server, data theft, installation of backdoors, lateral movement to internal networks, and ransomware deployment.
Likely Case
Webshell installation leading to data exfiltration, defacement, or use as part of a botnet.
If Mitigated
Limited impact if file uploads are blocked at network perimeter or web application firewall level.
🎯 Exploit Status
Multiple public exploit scripts available. Attack requires no authentication and uses simple HTTP file upload.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 14.2.1
Vendor Advisory: https://www.zeta-producer.com/en/security-advisory.html
Restart Required: No
Instructions:
1. Upgrade Zeta Producer Desktop CMS to version 14.2.1 or later. 2. Regenerate and redeploy all affected websites using the patched version. 3. Remove any previously uploaded malicious files.
🔧 Temporary Workarounds
Block PHP extensions at web server
allConfigure web server to block execution of .php5 and .phtml files
For Apache: Add 'AddHandler cgi-script .php5 .phtml' to .htaccess
For Nginx: location ~ \.(php5|phtml)$ { deny all; }
Disable formmailer widget
allRemove or disable the vulnerable formmailer component from websites
Remove /assets/php/formmailer/ directory from web root
🧯 If You Can't Patch
- Implement strict file upload filtering at WAF or reverse proxy level
- Monitor for suspicious file uploads to /assets/php/formmailer/ directory
🔍 How to Verify
Check if Vulnerable:
Check if website contains /assets/php/formmailer/SendEmail.php and test uploading .php5 file to that endpointCheck Version:
Check CMS about dialog or version.txt file in installation directoryVerify Fix Applied:
Verify CMS version is 14.2.1+ and test that .php5/.phtml uploads are properly blocked📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /assets/php/formmailer/SendEmail.php with .php5/.phtml files
- File creation in upload directories with .php5/.phtml extensions
Network Indicators:
- Unusual outbound connections from web server following file uploads
- HTTP requests with suspicious User-Agents to formmailer endpoint
SIEM Query:
source="web_logs" AND uri="/assets/php/formmailer/SendEmail.php" AND (file_extension=".php5" OR file_extension=".phtml")🔗 References
- http://packetstormsecurity.com/files/148537/Zeta-Producer-Desktop-CMS-14.2.0-Code-Execution-File-Disclosure.html
- https://www.exploit-db.com/exploits/45016/
- https://www.sec-consult.com/en/blog/advisories/remote-code-execution-local-file-disclosure-zeta-producer-desktop-cms/
- http://packetstormsecurity.com/files/148537/Zeta-Producer-Desktop-CMS-14.2.0-Code-Execution-File-Disclosure.html
- https://www.exploit-db.com/exploits/45016/
- https://www.sec-consult.com/en/blog/advisories/remote-code-execution-local-file-disclosure-zeta-producer-desktop-cms/
