CVE-2025-63748
📋 TL;DR
QaTraq 6.9.2 contains an unrestricted file upload vulnerability that allows authenticated users to upload PHP files, leading to remote code execution. Attackers can upload malicious PHP scripts that execute on the server when accessed. This affects all QaTraq 6.9.2 installations with authenticated user access.
💻 Affected Systems
- QaTraq
📦 What is this software?
Qatraq by Testmanagement
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise allowing attackers to execute arbitrary commands, steal data, install backdoors, pivot to other systems, or deploy ransomware.
Likely Case
Attackers upload web shells to gain persistent access, exfiltrate sensitive testing data and credentials, and potentially compromise connected systems.
If Mitigated
Limited impact if file uploads are restricted to authenticated users only, but still enables privilege escalation and data theft.
🎯 Exploit Status
Exploitation requires authentication but is straightforward. Public blog post details the vulnerability and exploitation method.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Unknown
Restart Required: No
Instructions:
Check vendor website for security updates. If no patch available, implement workarounds immediately.
🔧 Temporary Workarounds
Restrict File Upload Types
allConfigure web server or application to block PHP file uploads via the attachment feature
# Configure .htaccess to block PHP execution in upload directory
<FilesMatch "\.php$">
Order Allow,Deny
Deny from all
</FilesMatch>
# Configure web application firewall to block PHP uploads
Disable Attachment Feature
allTemporarily disable the 'Add Attachment' functionality in Test Script module
# Modify application code to remove or disable attachment upload interface
🧯 If You Can't Patch
- Implement strict file type validation on server-side for all uploads
- Move upload directory outside web root and implement proper access controls
🔍 How to Verify
Check if Vulnerable:
Attempt to upload a PHP file via the 'Add Attachment' feature in Test Script module. If successful and file executes when accessed, system is vulnerable.Check Version:
Check QaTraq version in application interface or configuration filesVerify Fix Applied:
Attempt to upload PHP file - should be rejected. Verify uploaded files cannot be executed as code.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to attachment directories
- PHP file uploads via Test Script module
- Access to uploaded PHP files in web logs
Network Indicators:
- HTTP POST requests with PHP file uploads to attachment endpoints
- Subsequent requests to uploaded PHP files
SIEM Query:
source="web_logs" AND (uri="*/add_attachment*" OR uri="*/view_attachment*") AND (file_extension="php" OR file_type="application/x-php")