CVE-2020-21786
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on IBOS 4.5.4 Open systems through arbitrary file inclusion in the CronController.php component. Attackers can achieve complete system compromise (getshell) by exploiting this flaw. All organizations running the vulnerable IBOS version are affected.
💻 Affected Systems
- IBOS Open
📦 What is this software?
Ibos by Ibos
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover with remote code execution, data exfiltration, lateral movement, and persistent backdoor installation.
Likely Case
Webshell deployment leading to data theft, defacement, or ransomware deployment on the affected server.
If Mitigated
Limited impact if proper network segmentation, WAF rules, and file integrity monitoring are in place.
🎯 Exploit Status
Exploit requires sending crafted HTTP requests to the vulnerable endpoint. The 'getshell' terminology indicates ready-to-use exploit code exists.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.5.5 or later
Vendor Advisory: https://gitee.com/ibos/IBOS/issues/I18JRG
Restart Required: No
Instructions:
1. Backup your IBOS installation and database. 2. Download and install IBOS 4.5.5 or later from official sources. 3. Replace all files with the patched version. 4. Verify the CronController.php file has been updated.
🔧 Temporary Workarounds
Restrict access to CronController.php
allBlock direct access to the vulnerable file via web server configuration.
For Apache: add 'Deny from all' to .htaccess in /system/modules/dashboard/controllers/
For Nginx: add 'location ~* CronController\.php$ { deny all; }' to server config
Disable dashboard module
allTemporarily disable the affected dashboard module.
Rename or move /system/modules/dashboard/ directory
🧯 If You Can't Patch
- Implement strict WAF rules to block requests containing file inclusion patterns to /system/modules/dashboard/controllers/CronController.php
- Deploy network segmentation to isolate the IBOS server and restrict inbound/outbound connections
🔍 How to Verify
Check if Vulnerable:
Check if /system/modules/dashboard/controllers/CronController.php exists and contains unvalidated file inclusion code. Review version in admin panel or config files.Check Version:
Check /config/config.php for 'version' parameter or view admin dashboard version infoVerify Fix Applied:
Verify CronController.php has proper input validation and file path restrictions. Confirm IBOS version is 4.5.5 or higher.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /system/modules/dashboard/controllers/CronController.php with suspicious parameters
- Unusual file operations or PHP execution in web directories
Network Indicators:
- HTTP POST/GET requests containing file paths or PHP wrappers to the vulnerable endpoint
SIEM Query:
web_access_logs WHERE uri CONTAINS 'CronController.php' AND (params CONTAINS '..' OR params CONTAINS 'php://' OR params CONTAINS '/etc/')