<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Notrinos - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/notrinos/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 10 Jul 2026 19:39:35 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/notrinos/feed.xml" rel="self" type="application/rss+xml"/><item><title>NotrinosERP Authenticated Arbitrary File Upload Leads to Remote Code Execution</title><link>https://feed.craftedsignal.io/briefs/2026-07-notrinos-erp-rce/</link><pubDate>Fri, 10 Jul 2026 19:39:35 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-notrinos-erp-rce/</guid><description>An authenticated user with the 'SA_EMPLOYEE' permission in NotrinosERP can upload arbitrary files, including PHP web shells, through the HRM employee 'Documents' tab, leading to remote code execution due to a lack of extension, MIME, or content validation.</description><content:encoded><![CDATA[<p>An authenticated remote code execution vulnerability exists in NotrinosERP versions up to and including 1.0.0. An attacker with the HR &quot;Manage Employees&quot; permission (<code>SA_EMPLOYEE</code>) can exploit this by uploading a file with an arbitrary extension, such as a <code>.php</code> web shell, through the employee &quot;Documents&quot; tab. The <code>tab_documents()</code> function in <code>hrm/manage/employees.php</code> fails to validate file extensions, MIME types, or content, directly storing the client-supplied filename in a web-accessible directory. This allows the attacker to execute arbitrary commands on the server by navigating to the newly uploaded web shell. The vulnerability also includes a stored Cross-Site Scripting (CWE-79) sink due to unescaped file paths, and potential path traversal (CWE-22) on certain PHP builds. This threat enables attackers to gain control over the hosting server, posing a significant risk to data integrity and system availability.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Authentication and Initial Access</strong>: An attacker obtains valid credentials for a NotrinosERP user account with the <code>SA_EMPLOYEE</code> permission.</li>
<li><strong>CSRF Token Retrieval</strong>: The attacker logs into NotrinosERP and navigates to the HRM employee &quot;Documents&quot; tab (<code>/hrm/manage/employees.php?_tabs_sel=tab_documents</code>) to obtain a valid CSRF token (<code>_token</code>) from the HTML response.</li>
<li><strong>Malicious File Upload Request</strong>: The attacker crafts a multipart <code>POST</code> request to <code>/hrm/manage/employees.php</code> including the obtained CSRF token, a valid <code>doc_type_id</code>, and a malicious PHP file (e.g., <code>shell.php</code>) containing a web shell payload (e.g., <code>&lt;?php system($_GET['c']); ?&gt;</code>) in the <code>doc_file</code> field.</li>
<li><strong>Arbitrary File Write</strong>: Due to a lack of validation in the <code>tab_documents()</code> function, NotrinosERP stores the malicious PHP file with its original <code>.php</code> extension verbatim in a web-accessible directory, typically <code>company/0/documents/employees/</code>.</li>
<li><strong>Web Shell URL Discovery</strong>: The system echoes the exact path to the uploaded file into a clickable &quot;View&quot; link in the employee &quot;Documents&quot; tab, allowing the attacker to discover the web shell's URL (e.g., <code>/company/0/documents/employees/1_&lt;unix_ts&gt;_shell.php</code>).</li>
<li><strong>Remote Code Execution</strong>: The attacker sends a <code>GET</code> request to the discovered web shell URL, passing OS commands as a parameter (e.g., <code>?c=id</code> or <code>?c=whoami</code>), which are then executed by the web server on the underlying operating system.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation results in full remote code execution (RCE) on the server hosting NotrinosERP. This allows an authenticated attacker, holding the <code>SA_EMPLOYEE</code> role (which may not be an administrator role by default), to compromise the entire system. The impact includes unauthorized access to sensitive data, potential data exfiltration, modification or deletion of critical information, and the ability to establish persistent access. The vulnerability also exposes the system to secondary issues like stored Cross-Site Scripting (XSS), which could impact other users.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;Detect NotrinosERP Web Shell Upload Attempt&quot; to your SIEM to identify suspicious multipart file uploads.</li>
<li>Implement robust file upload validation at the web server level, specifically blocking executable extensions like <code>.php</code> in the <code>/company/</code> directory.</li>
<li>Ensure web server logs for your NotrinosERP instance include <code>request_body</code> content for HTTP POST requests to facilitate detection of malicious payloads.</li>
<li>Apply available patches for NotrinosERP to address arbitrary file upload vulnerabilities. The suggested fix involves not using client filenames, enforcing extension/MIME allow-lists, and storing uploads outside the web root.</li>
<li>Restrict <code>SA_EMPLOYEE</code> role permissions to only trusted personnel.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>web-application</category><category>remote-code-execution</category><category>file-upload</category><category>php</category><category>notrinos</category></item></channel></rss>