FileThingie 2.5.7 Arbitrary File Upload via ft2.php
traduction en cours…Plateforme
php
Composant
filethingie
Corrigé dans
2.5.8
CVE-2019-25471 describes a critical arbitrary file access vulnerability discovered in FileThingie. This flaw allows attackers to upload and execute malicious files, potentially leading to complete system compromise. The vulnerability impacts FileThingie versions 2.5.7 through 2.5.7. A patch is available in version 2.5.8.
Impact et Scénarios d'Attaquetraduction en cours…
The primary impact of CVE-2019-25471 is the ability for an attacker to gain arbitrary code execution on a system running FileThingie. By crafting a malicious ZIP archive containing PHP shell scripts and uploading it through the ft2.php endpoint, an attacker can leverage FileThingie's unzip functionality to extract the shell into a publicly accessible directory. Subsequently, the attacker can execute arbitrary commands on the server, potentially leading to data theft, system takeover, or denial of service. The blast radius extends to any sensitive data stored or processed by the FileThingie application, and the attacker could potentially pivot to other systems on the network.
Contexte d'Exploitationtraduction en cours…
CVE-2019-25471 is a high-severity vulnerability with a CVSS score of 9.8. Public proof-of-concept exploits are likely to emerge given the ease of exploitation. While no active campaigns have been publicly confirmed, the vulnerability's simplicity makes it an attractive target for opportunistic attackers. The vulnerability was published on 2026-03-11.
Qui Est à Risquetraduction en cours…
Web applications utilizing FileThingie version 2.5.7 are at significant risk. This includes applications deployed on shared hosting environments where file upload functionality is commonly used. Systems with weak input validation or inadequate WAF protection are particularly vulnerable.
Étapes de Détectiontraduction en cours…
• php: Examine web server access logs for requests to ft2.php containing ZIP files. Look for unusual file extensions or filenames within the uploaded ZIP archives.
grep 'ft2.php' access.log | grep '.zip'• php: Search for newly created PHP files in publicly accessible directories that may contain malicious code.
find /var/www/html -name '*.php' -type f -mtime -1• generic web: Monitor for unexpected PHP process executions on the server.
ps aux | grep phpChronologie de l'Attaque
- Disclosure
disclosure
Renseignement sur les Menaces
Statut de l'Exploit
EPSS
0.20% (percentile 42%)
CISA SSVC
Vecteur CVSS
Que signifient ces métriques?
- Attack Vector
- Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
- Attack Complexity
- Faible — aucune condition spéciale requise. Exploitable de manière fiable.
- Privileges Required
- Aucun — sans authentification. Aucune identifiant requis pour exploiter.
- User Interaction
- Aucune — attaque automatique et silencieuse. La victime ne fait rien.
- Scope
- Inchangé — impact limité au composant vulnérable.
- Confidentiality
- Élevé — perte totale de confidentialité. L'attaquant peut lire toutes les données.
- Integrity
- Élevé — l'attaquant peut écrire, modifier ou supprimer toutes les données.
- Availability
- Élevé — panne complète ou épuisement des ressources. Déni de service total.
Logiciel Affecté
Classification de Faiblesse (CWE)
Chronologie
- Réservé
- Publiée
- Modifiée
- EPSS mis à jour
Mitigation et Contournementstraduction en cours…
The primary mitigation for CVE-2019-25471 is to immediately upgrade FileThingie to version 2.5.8 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing temporary workarounds. These may include restricting file uploads to specific file types, implementing strict input validation on the ft2.php endpoint to prevent ZIP uploads, and configuring a Web Application Firewall (WAF) to block requests containing malicious ZIP files. Monitor access logs for suspicious file upload attempts. After upgrading, confirm the fix by attempting to upload a test ZIP file containing a harmless PHP script and verifying that the upload fails or is properly sanitized.
Comment corrigertraduction en cours…
Actualice FileThingie a la versión 2.5.8 o posterior para mitigar la vulnerabilidad de carga arbitraria de archivos. Verifique y restrinja los tipos de archivos permitidos para la carga a través del endpoint ft2.php. Implemente una validación robusta de los archivos cargados para prevenir la ejecución de código malicioso.
Newsletter Sécurité CVE
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
Questions fréquentestraduction en cours…
What is CVE-2019-25471 — Arbitrary File Access in FileThingie?
CVE-2019-25471 is a critical vulnerability in FileThingie versions 2.5.7–2.5.7 that allows attackers to upload and execute malicious files, potentially leading to system compromise.
Am I affected by CVE-2019-25471 in FileThingie?
If you are using FileThingie version 2.5.7, you are vulnerable to this attack. Upgrade to version 2.5.8 or later to mitigate the risk.
How do I fix CVE-2019-25471 in FileThingie?
The recommended fix is to upgrade FileThingie to version 2.5.8 or later. As a temporary workaround, restrict file uploads and implement WAF rules.
Is CVE-2019-25471 being actively exploited?
While no active campaigns have been confirmed, the vulnerability's simplicity makes it a likely target for attackers. Vigilance and prompt patching are crucial.
Where can I find the official FileThingie advisory for CVE-2019-25471?
Refer to the FileThingie project's official website or security advisories for the most up-to-date information and guidance.
Ton projet est-il affecté ?
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.