CVE-2019–19634 (Arbitrary file upload in class.upload.php)

Jinny Ramsmark
1 min readDec 8, 2019

--

class.upload.php <= 2.0.4 Arbitrary file upload

Vendor: https://www.verot.net/

Product: class.upload.php

PoC github: https://github.com/jra89/CVE-2019–19634

CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019–19634

This is basically the exact same thing again as with CVE-2019–19576. I took another look after the patch was released and realized that there are other PHP extensions out there, in this case on Debian/Ubuntu with PHP5 that this library does not blacklist. So I installed PHP5 on Ubuntu and tested it, and the same thing went through. Both Verot and K2/JoomlaWorks have released patches and agreed to release this new CVE.

So this is a bit of a shorter text, but there are a bunch of more coming up (That are currently within the 90 days responsible disclosure timeline, plus some Vendors that have asked for extended time).

--

--

Jinny Ramsmark

I program, hack, and write odd stories. I am an independent security consultant.

Recommended from Medium

Lists