CVE-2021-44664
📋 TL;DR
This vulnerability allows authenticated attackers to upload malicious PHP files disguised as language files to Xerte installations, bypassing upload filters and exploiting path traversal to achieve remote code execution. It affects Xerte Online Toolkits through version 3.9, putting any system running vulnerable versions at risk of complete compromise.
💻 Affected Systems
- Xerte Online Toolkits
📦 What is this software?
Xerte by Xerte
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining complete control over the server, allowing data theft, lateral movement, and persistent backdoor installation.
Likely Case
Web server compromise leading to defacement, data exfiltration, or cryptocurrency mining malware deployment.
If Mitigated
Attack blocked at web application firewall or file upload validation layer with no impact.
🎯 Exploit Status
Exploit requires authenticated access but is straightforward with publicly available proof-of-concept code.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after commit 1672d6f46bbd6f6d42f0903ce9a313927ae2836b
Vendor Advisory: https://github.com/thexerteproject/xerteonlinetoolkits/commit/1672d6f46bbd6f6d42f0903ce9a313927ae2836b
Restart Required: No
Instructions:
1. Update Xerte Online Toolkits to latest version. 2. Apply commits 1672d6f46bbd6f6d42f0903ce9a313927ae2836b and 6daeb81d089d4a561e22f931fff1327660a7d1b5. 3. Verify file upload validation is properly implemented.
🔧 Temporary Workarounds
Disable file upload functionality
linuxTemporarily disable the vulnerable file upload endpoint to prevent exploitation.
mv website_code/php/import/fileupload.php website_code/php/import/fileupload.php.disabled
Implement WAF rules
allBlock requests containing path traversal sequences and PHP file uploads to the vulnerable endpoint.
🧯 If You Can't Patch
- Implement strict file upload validation that checks file extensions and content types
- Restrict access to the project interface to trusted users only and monitor for suspicious uploads
🔍 How to Verify
Check if Vulnerable:
Check if website_code/php/import/fileupload.php exists and version is 3.9 or earlier.Check Version:
Check version.php or similar version file in Xerte installation directory.Verify Fix Applied:
Verify commits 1672d6f46bbd6f6d42f0903ce9a313927ae2836b and 6daeb81d089d4a561e22f931fff1327660a7d1b5 are applied to the codebase.📡 Detection & Monitoring
Log Indicators:
- File uploads to /website_code/php/import/fileupload.php with .php extensions
- Requests containing '../' sequences in mediapath parameter
Network Indicators:
- POST requests to fileupload.php endpoint with unusual file types
SIEM Query:
source="web_logs" AND uri="/website_code/php/import/fileupload.php" AND (file_extension="php" OR params CONTAINS "../")🔗 References
- http://packetstormsecurity.com/files/166182/Xerte-3.9-Remote-Code-Execution.html
- https://github.com/thexerteproject/xerteonlinetoolkits/commit/1672d6f46bbd6f6d42f0903ce9a313927ae2836b#diff-27433bb0be90e431d40986f9afebe9ee2f8d1025a7f9e55c3cd7a86f1f8e3fdc
- https://github.com/thexerteproject/xerteonlinetoolkits/commit/6daeb81d089d4a561e22f931fff1327660a7d1b5
- https://riklutz.nl/2021/11/03/authenticated-file-upload-to-remote-code-execution-in-xerte/
- http://packetstormsecurity.com/files/166182/Xerte-3.9-Remote-Code-Execution.html
- https://github.com/thexerteproject/xerteonlinetoolkits/commit/1672d6f46bbd6f6d42f0903ce9a313927ae2836b#diff-27433bb0be90e431d40986f9afebe9ee2f8d1025a7f9e55c3cd7a86f1f8e3fdc
- https://github.com/thexerteproject/xerteonlinetoolkits/commit/6daeb81d089d4a561e22f931fff1327660a7d1b5
- https://riklutz.nl/2021/11/03/authenticated-file-upload-to-remote-code-execution-in-xerte/
