CVE-2023-27507
📋 TL;DR
MicroEngine Mailform versions 1.1.0 to 1.1.8 contain a path traversal vulnerability in the file upload function. When the server save option is enabled, attackers can upload arbitrary files to any location on the server, potentially leading to remote code execution. This affects all users running vulnerable versions with the file upload feature enabled.
💻 Affected Systems
- MicroEngine Mailform
📦 What is this software?
Mailform by Microengine
⚠️ Risk & Real-World Impact
Worst Case
Remote attacker gains full server control through arbitrary file upload and execution, leading to data theft, system compromise, or ransomware deployment.
Likely Case
Attackers upload web shells or malicious scripts to gain persistent access, execute commands, and potentially pivot to other systems.
If Mitigated
With proper file upload restrictions and server hardening, impact is limited to potential file system manipulation without code execution.
🎯 Exploit Status
Exploitation is straightforward with publicly available proof-of-concept code. Attackers can chain path traversal with file upload to achieve RCE.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.1.9 or later
Vendor Advisory: https://microengine.jp/information/security_2023_05.html
Restart Required: No
Instructions:
1. Download latest version from vendor website. 2. Backup current installation. 3. Replace vulnerable files with patched version. 4. Verify functionality.
🔧 Temporary Workarounds
Disable File Upload
allDisable the file upload functionality in Mailform configuration
Edit configuration to set file upload to disabled
Restrict Upload Directory
allConfigure web server to prevent execution in upload directories
Add 'php_flag engine off' to .htaccess in upload directory (Apache)
Set appropriate permissions to prevent execution
🧯 If You Can't Patch
- Implement strict file upload validation (whitelist extensions, validate file types)
- Deploy WAF with path traversal and file upload protection rules
🔍 How to Verify
Check if Vulnerable:
Check Mailform version in admin panel or configuration files. If version is between 1.1.0 and 1.1.8 with file upload enabled, system is vulnerable.Check Version:
Check version.php or admin panel for version informationVerify Fix Applied:
Verify version is 1.1.9 or later. Test file upload with path traversal attempts to confirm they are blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads with directory traversal patterns (../, ..\)
- File creation in unexpected directories
- Web shell or PHP file uploads
Network Indicators:
- HTTP POST requests with file uploads containing path traversal sequences
- Requests to unusual file paths after upload
SIEM Query:
source="web_logs" AND (method="POST" AND uri="*upload*" AND (body="*../*" OR body="*..\*"))