CVE-2013-10054
BaseFortify
Publication date: 2025-08-04
Last updated on: 2025-08-05
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| librettocms | librettocms | 1.1.7 |
| librettocms | librettocms | 2.2.2 |
| librettocms | librettocms | 1.7 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can lead to a full compromise of the affected server. Attackers can upload and execute arbitrary PHP code remotely, which may allow them to run malicious commands, access sensitive data, modify or delete files, and potentially take control of the entire system. The exploit requires no authentication and can be executed remotely over the network, making it highly dangerous. [1, 2, 4]
Can you explain this vulnerability to me?
CVE-2013-10054 is an unauthenticated arbitrary file upload vulnerability in LibrettoCMS version 1.1.7 (and possibly earlier). The vulnerability exists in the File Manager plugin's upload handler, which fails to properly validate file extensions. Attackers can upload files with misleading extensions (e.g., disguised as PDFs or DOCs) and then rename them to executable PHP scripts. This allows remote attackers to execute arbitrary code on the server without any authentication. [1, 2, 3, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can be performed by checking for the presence of the vulnerable upload endpoint and signs of arbitrary file uploads or renamed PHP files in the /userfiles/ directory. One can attempt to detect the vulnerable CMS by sending an HTTP request to the base URI and checking for the string "Powered by Libretto CMS" in the response. Additionally, monitoring HTTP POST requests to /adm/ui/js/ckeditor/plugins/pgrfilemanager/php/upload.php with multipart/form-data content and subsequent POST requests to /adm/ui/js/ckeditor/plugins/pgrfilemanager/php/files.php for file renaming actions can indicate exploitation attempts. Commands to detect this might include using curl or wget to check for the CMS signature, and inspecting web server logs for suspicious POST requests to the upload and rename endpoints. For example: 1) curl -s http://target/ | grep "Powered by Libretto CMS" 2) grep "/adm/ui/js/ckeditor/plugins/pgrfilemanager/php/upload.php" /var/log/apache2/access.log 3) grep "/adm/ui/js/ckeditor/plugins/pgrfilemanager/php/files.php" /var/log/apache2/access.log 4) Searching the /userfiles/ directory for unexpected .php files that may have been uploaded or renamed. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling or restricting access to the vulnerable file upload functionality located at /adm/ui/js/ckeditor/plugins/pgrfilemanager/php/upload.php, applying strict validation on file uploads to prevent arbitrary file types, especially executable PHP files, and restricting file renaming capabilities that allow changing extensions to .php. If possible, update LibrettoCMS to a version where this vulnerability is patched. Additionally, monitor and remove any suspicious uploaded files in the /userfiles/ directory. Implement web application firewall (WAF) rules to block malicious upload attempts and unauthorized file renaming requests. As a temporary measure, restrict access to the vulnerable endpoints by IP or authentication to prevent unauthenticated exploitation. [1, 2, 4]