Login Sign Up

CVE-2019-19576

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code by uploading malicious .phar files to systems using vulnerable versions of verot.net class.upload library. The library failed to block .phar extensions, enabling PHP Archive files to be uploaded and executed. This affects Joomla! K2 extension users and any other applications using class.upload.php versions before 1.0.3 or 2.x before 2.0.4.

💻 Affected Systems

Products:
  • verot.net class.upload library
  • Joomla! K2 extension
  • Other applications using class.upload.php
Versions: class.upload versions < 1.0.3, 2.x versions < 2.0.4
Operating Systems: All platforms running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems with file upload functionality enabled using the vulnerable library.

📦 What is this software?

K2 by Getk2

View all CVEs affecting K2 →

Verot by Verot Project

View all CVEs affecting Verot →

Verot by Verot Project

View all CVEs affecting Verot →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with remote code execution, allowing attackers to take complete control of the server, steal data, install malware, or pivot to other systems.

🟠

Likely Case

Webshell deployment leading to data theft, defacement, or use as a foothold for further attacks.

🟢

If Mitigated

File uploads blocked or properly validated, limiting impact to denial of service or failed upload attempts.

🌐 Internet-Facing: HIGH - Web applications with file upload functionality are directly exposed to remote attackers.
🏢 Internal Only: MEDIUM - Internal applications with file upload could be exploited by authenticated users or through other attack vectors.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Multiple public exploits exist, requiring only ability to upload files to vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: class.upload 1.0.3 or 2.0.4

Vendor Advisory: https://github.com/verot/class.upload.php/commits/master

Restart Required: No

Instructions:

1. Update class.upload.php to version 1.0.3 or 2.0.4. 2. For Joomla! K2 extension, update to version containing commit d1344706c4b74c2ae7659b286b5a066117155124. 3. Replace vulnerable class.upload.php files with patched versions from official repository.

🔧 Temporary Workarounds

Block .phar file uploads

all

Add .phar to blocked extensions list in upload validation

Add '.phar' to $upload->file_safe_name array or equivalent extension blacklist

Disable file upload functionality

all

Temporarily disable file uploads until patched

Disable file upload forms or set upload_max_filesize=0 in php.ini

🧯 If You Can't Patch

  • Implement strict file type validation using MIME type checking, not just extensions
  • Store uploaded files outside web root with no execute permissions

🔍 How to Verify

Check if Vulnerable:

Check if class.upload.php version is <1.0.3 or 2.x <2.0.4. Look for .phar in blocked extensions list.

Check Version:

grep -i 'version' class.upload.php | head -5

Verify Fix Applied:

Verify class.upload.php version is 1.0.3+ or 2.0.4+. Confirm .phar is in blocked extensions list.

📡 Detection & Monitoring

Log Indicators:

  • File upload attempts with .phar extension
  • Unusual POST requests to upload endpoints
  • Execution of uploaded files from upload directories

Network Indicators:

  • POST requests with .phar files to upload endpoints
  • Subsequent connections from server to external IPs

SIEM Query:

source="web_logs" AND (uri_path="*upload*" OR uri_path="*k2*") AND (file_extension=".phar" OR user_agent="*curl*" OR user_agent="*wget*")

📊 Metadata

CVE ID: CVE-2019-19576
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-434
Published: December 4, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-19576, you might also want to check these:

CVE-2024-52490 10.0

This vulnerability allows attackers to upload arbitrary files, including web shells, to Pathomation ...

Same vulnerability type (CWE-434)
CVE-2024-43160 10.0

CVE-2024-43160 is an unauthenticated arbitrary file upload vulnerability in the BerqWP WordPress plu...

Same vulnerability type (CWE-434)
CVE-2024-8940 10.0

CVE-2024-8940 is a critical unrestricted file upload vulnerability in Scriptcase version 9.4.019 tha...

Same vulnerability type (CWE-434)