CVE-2018-11091

Vulnerability

CVE-2018-11091 is an arbitrary file upload vulnerability in MyBiz MyProcureNet version 5.0.0 [2]. The application uses a HiddenFieldControlCustomWhiteListedExtensions parameter to filter allowed file extensions during upload. An authenticated attacker can modify this hidden field (e.g., via browser developer tools) to add extensions such as .asp to the whitelist [1]. The server then accepts and stores malicious files like secctest.asp without further validation, enabling the upload of scripts that can execute operating system commands [1][2]. No additional configuration or privilege escalation is required beyond standard authentication.

Exploitation

An attacker who can authenticate to the application (since user registration is usually open to anyone [2]) can exploit the vulnerability by intercepting or modifying the file upload request. The attacker adds a dangerous extension (e.g., .asp, .aspx, .jsp) to the HiddenFieldControlCustomWhiteListedExtensions parameter via a man-in-the-middle proxy or simply by adjusting the hidden field in a browser's developer console [1][2]. After the file is uploaded to the web server, the attacker accesses it through a web browser, which executes the uploaded script (web shell) and provides a command prompt on the underlying operating system [1].

Impact

Successful exploitation allows the attacker to execute arbitrary operating system commands on the target server at the privilege level of the web application (typically NETWORK SERVICE or IUSR) [1]. This leads to full compromise of the MyProcureNet instance, including reading, modifying, or deleting any data accessible to the application, installing backdoors, and potentially pivoting to internal systems [1][2]. The impact severity is critical (CVSS 9.9) because the vulnerability can be easily chained with the open registration to bypass authentication barriers.

Mitigation

The vendor (MyBiz) did not respond to disclosures made in February 2018, and no patch or update has been released [2]. As of the published date (2018-05-14) and according to the advisory, the vulnerability remains unpatched in current versions [2]. The recommended mitigation is to discontinue use of MyBiz MyProcureNet until a thorough security review and all identified issues have been resolved [2]. If the product must remain in use, implement strict network segmentation, disable open user registration, and use a web application firewall (WAF) with rules to block uploads of script extensions (e.g., .asp, .aspx, .php, .jsp), though these are workarounds only.