CVE-2020-18432
📋 TL;DR
CVE-2020-18432 is a critical file upload vulnerability in SEMCMS PHP 3.7 that allows remote attackers to upload arbitrary files, including web shells, to gain escalated privileges and potentially achieve remote code execution. This affects all installations of SEMCMS PHP versions before 3.7. Attackers can compromise the entire web application and underlying server.
💻 Affected Systems
- SEMCMS PHP
📦 What is this software?
Semcms by Sem Cms
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise leading to data theft, ransomware deployment, lateral movement to internal networks, and persistent backdoor installation.
Likely Case
Web shell upload leading to website defacement, data exfiltration, and use as a pivot point for further attacks.
If Mitigated
Limited impact if file uploads are disabled, proper file type validation is enforced, and web shells are detected and removed.
🎯 Exploit Status
Exploitation requires admin access to upload files. Public proof-of-concept code exists demonstrating web shell upload via the vulnerable Upfile.php component.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: SEMCMS PHP 3.7 and later
Vendor Advisory: https://github.com/advisories/GHSA-hg72-f8x2-chjh
Restart Required: No
Instructions:
1. Download SEMCMS PHP version 3.7 or later from the official source. 2. Backup your current installation and database. 3. Replace all files with the patched version. 4. Verify the Upfile.php component has proper file validation.
🔧 Temporary Workarounds
Disable File Uploads
allTemporarily disable file upload functionality in SEMCMS if not required.
Modify SEMCMS configuration to remove or disable upload features
Implement Web Application Firewall Rules
allBlock requests to Upfile.php or restrict file uploads to specific file types.
Configure WAF to block .php, .phtml, .php5, .php7 file uploads
🧯 If You Can't Patch
- Implement strict file type validation on the server-side to only allow specific safe extensions (e.g., .jpg, .png).
- Store uploaded files outside the web root directory and serve them through a secure script that validates file access.
🔍 How to Verify
Check if Vulnerable:
Check if SEMCMS version is below 3.7 by examining version files or admin panel. Test if arbitrary file upload is possible via the Upfile.php endpoint.Check Version:
Check SEMCMS version in admin panel or look for version files in the installation directory.Verify Fix Applied:
Verify SEMCMS version is 3.7 or higher. Test file upload with malicious extensions to ensure they are rejected.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to Upfile.php, especially with .php extensions
- Multiple failed upload attempts followed by successful upload
Network Indicators:
- HTTP POST requests to /SEMCMS-Upfile.php with file uploads
- Suspicious user-agent strings or IP addresses accessing upload endpoints
SIEM Query:
source="web_logs" AND (url="/SEMCMS-Upfile.php" OR url="/Upfile.php") AND (file_extension=".php" OR file_extension=".phtml")