CVE-2023-45856
📋 TL;DR
CVE-2023-45856 is a critical remote code execution vulnerability in qdPM 9.2 that allows attackers to upload malicious PHP files through the Add Attachments feature. This enables complete system compromise of affected qdPM installations. All organizations using qdPM 9.2 are affected unless they have implemented specific security controls.
💻 Affected Systems
- qdPM
📦 What is this software?
Qdpm by Qdpm
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attackers to execute arbitrary code, steal sensitive data, deploy ransomware, pivot to other systems, and maintain persistent access.
Likely Case
Attackers upload web shells to gain administrative access, exfiltrate project data and credentials, and potentially compromise the underlying server.
If Mitigated
Limited impact with proper file upload restrictions, web application firewalls, and network segmentation preventing successful exploitation.
🎯 Exploit Status
Exploitation is trivial - attackers simply upload a PHP file through the web interface. Public proof-of-concept demonstrates complete RCE.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://qdpm.net
Restart Required: No
Instructions:
No official patch available. Check qdPM.net for updates. Consider upgrading to a newer version if available or implementing workarounds.
🔧 Temporary Workarounds
Restrict PHP file uploads
allConfigure web server to block PHP file execution in uploads directory
For Apache: Add 'php_flag engine off' to .htaccess in /uploads directory
For Nginx: Add 'location ~ \.php$ { deny all; }' to uploads location block
Implement file type validation
allAdd server-side validation to reject PHP file uploads
Modify qdPM source code to check file extensions before saving uploads
🧯 If You Can't Patch
- Disable the Add Attachments feature entirely in qdPM configuration
- Implement a web application firewall (WAF) with rules to block PHP file uploads to /uploads URI
🔍 How to Verify
Check if Vulnerable:
Attempt to upload a test PHP file through the Edit Project → Add Attachments feature. If it saves to /uploads and is accessible via browser, the system is vulnerable.Check Version:
Check qdPM version in admin panel or review installation files for version markers.Verify Fix Applied:
Attempt the same upload test - PHP files should be rejected or saved with execution disabled. Verify uploads directory blocks PHP execution.📡 Detection & Monitoring
Log Indicators:
- PHP file uploads to /uploads directory
- Unusual file uploads via Edit Project feature
- Web server logs showing .php file requests to uploads path
Network Indicators:
- HTTP POST requests with .php files to upload endpoints
- Subsequent requests to uploaded PHP files
SIEM Query:
source="web_server" AND (uri_path="/uploads/*.php" OR (method="POST" AND uri_path CONTAINS "add_attachment" AND file_extension="php"))