: With database credentials, the attacker connects to the MySQL database and examines the tblUsers table. The table contains password hashes and other user information. By updating the admin account's password hash to a known value, the attacker gains administrative access to the SeedDMS platform.
Expected output includes 5.1.22 .
Bryan found that a user with basic "write" permissions could upload more than just PDFs or text files. He realized he could upload a specialized PHP script —essentially a master key disguised as a document. The Upload seeddms 5.1.22 exploit
When an administrator reviews the system logs or event history, this payload executes silently. The script extracts the admin’s session cookie and transmits it to the attacker's server, resulting in immediate . 2. File Upload Restrictions & The RCE Threat Landscape
They upload a file with a .php extension (or a double extension like image.php.jpg ) containing malicious PHP code. : With database credentials, the attacker connects to
curl "http://192.168.1.100/seeddms51/data/1000/1/1/evil.php?cmd=id"
UPDATE tblUsers SET pwd = 'e10adc3949ba59abbe56e057f20f883e' WHERE login = 'admin'; Expected output includes 5
Similar to CVE-2019-12744 , which allows authenticated users with file upload privileges to execute PHP code by uploading a malicious file.
If the application’s /data/ or document storage directory permits the execution of PHP binaries, browsing directly to the uploaded file grants the attacker an interactive terminal. This completely bypasses application boundaries and executes code with the privileges of the underlying web server user ( www-data or apache ).
A vulnerability classified as problematic was found in SeedDMS up to versions 5.1.22 and 6.0.15. This issue affects the file /op/op.Ajax.php of the Document Name Handler component. The manipulation leads to a cross-site request forgery vulnerability (CWE-352), where the web application fails to sufficiently verify whether a well-formed request was intentionally provided by the user who submitted it. This vulnerability demands user interaction, as the victim must be enticed to perform certain actions while authenticated. Upgrading to version 5.1.23 or 6.0.16 eliminates this vulnerability.