CVE-2019-18952
📋 TL;DR
CVE-2019-18952 allows unauthenticated attackers to upload arbitrary files to SibSoft Xfilesharing servers via the cgi-bin/up.cgi endpoint. When combined with CVE-2019-18951 (local file inclusion), this enables remote code execution by uploading malicious HTML files containing short codes. All SibSoft Xfilesharing installations through version 2.5.1 are affected.
💻 Affected Systems
- SibSoft Xfilesharing
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control of the server, data theft, and potential lateral movement to other systems.
Likely Case
Remote code execution leading to web shell installation, data exfiltration, and server takeover.
If Mitigated
File upload attempts blocked at WAF or network perimeter, limiting impact to failed exploitation attempts.
🎯 Exploit Status
Exploit code is publicly available and requires minimal technical skill to execute.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 2.5.1
Vendor Advisory: Not available - vendor appears to be unresponsive
Restart Required: No
Instructions:
1. Upgrade to the latest version of Xfilesharing if available. 2. If no official patch exists, consider migrating to alternative software. 3. Apply workarounds listed below.
🔧 Temporary Workarounds
Block up.cgi endpoint
allPrevent access to the vulnerable cgi-bin/up.cgi endpoint
# Apache: RewriteRule ^cgi-bin/up\.cgi$ - [F]
# Nginx: location ~ ^/cgi-bin/up\.cgi$ { return 403; }
Restrict file upload extensions
allConfigure web server to block upload of HTML and executable files
# Apache: <FilesMatch "\.(html|htm|php|exe|sh)$">
Require all denied
</FilesMatch>
# Nginx: location ~* \.(html|htm|php|exe|sh)$ {
deny all;
}
🧯 If You Can't Patch
- Implement strict WAF rules to block requests to cgi-bin/up.cgi and suspicious file upload patterns
- Isolate the Xfilesharing server in a DMZ with strict outbound firewall rules to limit damage if compromised
🔍 How to Verify
Check if Vulnerable:
Check if cgi-bin/up.cgi endpoint exists and accepts file uploads without authentication. Test by attempting to upload a test file.Check Version:
Check Xfilesharing configuration files or admin panel for version information. Typically in config files or footer of web pages.Verify Fix Applied:
Verify up.cgi endpoint is no longer accessible or properly validates file uploads. Test that file upload restrictions are working.📡 Detection & Monitoring
Log Indicators:
- POST requests to /cgi-bin/up.cgi with file uploads
- Multiple failed upload attempts followed by successful upload
- Access to unusual file extensions in web directories
Network Indicators:
- Unusual outbound connections from web server
- HTTP requests to known malicious domains from server IP
SIEM Query:
source="web_server" AND (uri="/cgi-bin/up.cgi" OR uri="/cgi-bin/up.cgi*") AND method="POST"🔗 References
- http://packetstormsecurity.com/files/155324/Xfilesharing-2.5.1-Local-File-Inclusion-Shell-Upload.html
- https://gist.github.com/pak0s/af9f640170aed335fdf6d110d468dbce
- http://packetstormsecurity.com/files/155324/Xfilesharing-2.5.1-Local-File-Inclusion-Shell-Upload.html
- https://gist.github.com/pak0s/af9f640170aed335fdf6d110d468dbce
