CVE-2021-41675
📋 TL;DR
This vulnerability allows authenticated attackers to execute arbitrary code on Sourcecodester E-Negosyo System 1.0 servers. Attackers can upload malicious files disguised as images to achieve remote code execution. Only systems running the vulnerable E-Negosyo System are affected.
💻 Affected Systems
- Sourcecodester E-Negosyo System
📦 What is this software?
E Negosyo System by E Negosyo System Project
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands, steal data, install malware, or pivot to other systems.
Likely Case
Unauthorized access to sensitive business data, defacement of the application, or deployment of ransomware/cryptominers.
If Mitigated
Limited impact with proper file upload restrictions and network segmentation in place.
🎯 Exploit Status
Multiple public exploit scripts exist. Attack requires admin credentials or compromised admin account.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: Not available
Restart Required: No
Instructions:
No official patch available. Consider replacing with alternative software or implementing strict workarounds.
🔧 Temporary Workarounds
Restrict file uploads
allImplement strict file type validation and disable PHP execution in upload directories
# Add to .htaccess in upload directory:
<FilesMatch "\.(php|php5|php7|phtml|phar)$">
Order Allow,Deny
Deny from all
</FilesMatch>
# Restrict file extensions in PHP:
$allowed_extensions = ['jpg', 'jpeg', 'png', 'gif'];
Disable vulnerable endpoint
allTemporarily disable or restrict access to /admin/produts/controller.php
# Apache:
<Location "/admin/produts/controller.php">
Order deny,allow
Deny from all
</Location>
# Nginx:
location = /admin/produts/controller.php {
deny all;
return 403;
}
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block malicious file uploads
- Restrict admin panel access to specific IP addresses only
🔍 How to Verify
Check if Vulnerable:
Check if /admin/produts/controller.php exists and contains the doInsert function with getimagesize() validation. Review file upload functionality.Check Version:
Check application files for version information, typically in README or configuration filesVerify Fix Applied:
Test file upload with PHP extensions to ensure they are blocked. Verify .htaccess or nginx rules are properly applied.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to /admin/produts/controller.php
- PHP file uploads with image extensions
- Multiple failed login attempts to admin panel
Network Indicators:
- POST requests to /admin/produts/controller.php with file uploads
- Unexpected outbound connections from web server
SIEM Query:
source="web_logs" AND (uri="/admin/produts/controller.php" OR file_upload="*.php")🔗 References
- https://github.com/janikwehrli1/0dayHunt/blob/main/E-Negosyo-Authenticated-RCE.py
- https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-41675
- https://www.nu11secur1ty.com/2021/11/cve-2021-41675.html
- https://github.com/janikwehrli1/0dayHunt/blob/main/E-Negosyo-Authenticated-RCE.py
- https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-41675
- https://www.nu11secur1ty.com/2021/11/cve-2021-41675.html
