CVE-2019-19634
📋 TL;DR
CVE-2019-19634 is an arbitrary file upload vulnerability in verot.net's class.upload.php library that fails to block .pht files, allowing attackers to upload malicious PHP code disguised as HTML files. This affects all applications using class.upload.php versions through 1.0.3 and 2.x through 2.0.4, including the K2 extension for Joomla! and other products that implement this library for file upload functionality.
💻 Affected Systems
- verot.net class.upload.php
- K2 extension for Joomla!
- Other products using class.upload.php library
📦 What is this software?
K2 by Getk2
Verot by Verot Project
Verot by Verot Project
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.
Likely Case
Webshell deployment allowing persistent access, data exfiltration, and further exploitation of the hosting environment.
If Mitigated
File upload attempts blocked or quarantined with no code execution.
🎯 Exploit Status
Exploitation requires file upload capability; public proof-of-concept demonstrates simple .pht file upload.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: class.upload.php 2.0.5 and later
Vendor Advisory: https://github.com/verot/class.upload.php/commit/1b9c4c8db81b12a7a2b44b6e8e6d5c9c7f8e3a2d
Restart Required: No
Instructions:
1. Update class.upload.php to version 2.0.5 or later. 2. Replace the vulnerable file with patched version. 3. Test file upload functionality.
🔧 Temporary Workarounds
Web Server Block .pht Files
allConfigure web server to block .pht file extensions from being executed.
For Apache: Add 'AddType text/plain .pht' to .htaccess
For Nginx: Add 'location ~ \.pht$ { deny all; }' to config
Application-Level File Extension Validation
allAdd explicit .pht extension to dangerous file list in application code.
Add '.pht' to $this->file_extensions array in class.upload.php around line 3068
🧯 If You Can't Patch
- Disable file upload functionality entirely
- Implement strict file type validation using MIME checking, not just extensions
🔍 How to Verify
Check if Vulnerable:
Check if class.upload.php version is ≤1.0.3 or 2.x ≤2.0.4; examine if .pht is in forbidden extensions list.Check Version:
grep -n 'class.upload' /path/to/file.php | head -1Verify Fix Applied:
Verify class.upload.php version is ≥2.0.5; confirm .pht appears in forbidden extensions list.📡 Detection & Monitoring
Log Indicators:
- File upload attempts with .pht extension
- Unexpected file creation in upload directories
- Web server errors related to .pht file execution
Network Indicators:
- POST requests to upload endpoints with .pht files
- Subsequent requests to uploaded .pht files
SIEM Query:
source="web_logs" AND (uri="*.pht" OR user_agent CONTAINS ".pht")🔗 References
- https://github.com/jra89/CVE-2019-19634
- https://github.com/verot/class.upload.php/blob/2.0.4/src/class.upload.php#L3068
- https://medium.com/%40jra8908/cve-2019-19634-arbitrary-file-upload-in-class-upload-php-ccaf9e13875e
- https://github.com/jra89/CVE-2019-19634
- https://github.com/verot/class.upload.php/blob/2.0.4/src/class.upload.php#L3068
- https://medium.com/%40jra8908/cve-2019-19634-arbitrary-file-upload-in-class-upload-php-ccaf9e13875e
