CVE-2019-25471
Arbitrary File Upload in FileThingie 2.5.7 Enables Remote Code Execution
Publication date: 2026-03-11
Last updated on: 2026-04-13
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| leefish | file_thingie | to 2.5.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
FileThingie 2.5.7 contains an arbitrary file upload vulnerability that allows attackers to upload malicious ZIP archives through the ft2.php endpoint.
Attackers can upload ZIP files containing PHP shells, then use the unzip functionality to extract these files into accessible directories on the server.
Once extracted, the attacker can execute arbitrary commands on the server by accessing the uploaded PHP shell scripts remotely.
How can this vulnerability impact me? :
This vulnerability can lead to full remote code execution on the server hosting FileThingie.
- Attackers can run arbitrary system commands remotely.
- Sensitive files on the server, such as /etc/passwd, can be read by the attacker.
- The server and its data can be completely compromised, potentially leading to data theft, service disruption, or further attacks on connected systems.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of uploaded malicious ZIP files and extracted PHP shells on the server, especially through the vulnerable endpoint /filethingy/ft2.php.
You can attempt to detect if the exploit has been used by sending HTTP GET requests to potential locations of the uploaded PHP shell and observing the responses.
- Send a GET request to /filethingie/folders/tester/cmdshell.php with a command parameter, for example: GET /filethingie/folders/tester/cmdshell.php?cmd=whoami to check if the shell executes commands.
- Check for suspicious ZIP file uploads by monitoring POST requests to /filethingie/ft2.php containing ZIP files.
- Look for extracted PHP files in writable directories such as /tester or other accessible folders.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling or restricting the file upload and unzip functionality on the vulnerable endpoint /filethingie/ft2.php to prevent arbitrary file uploads.
Remove any suspicious uploaded ZIP files and extracted PHP shells from the server to eliminate existing backdoors.
Restrict write permissions on directories accessible by the web server to prevent extraction of malicious files.
Monitor web server logs for unusual POST requests uploading ZIP files and GET requests accessing suspicious PHP scripts.
Apply patches or upgrade FileThingie to a version that fixes this vulnerability once available.