CVE-2020-36973 Overview
CVE-2020-36973 is a remote code execution vulnerability affecting PDW File Browser version 1.3. This vulnerability allows authenticated users to upload and rename webshell files to arbitrary web server locations. Attackers can exploit this flaw by uploading a .txt webshell file, renaming it to .php, and moving it to accessible directories using double-encoded path traversal techniques. This vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type).
Critical Impact
Authenticated attackers can achieve remote code execution on the web server by uploading and manipulating malicious webshell files, potentially leading to complete server compromise.
Affected Products
- PDW File Browser 1.3
Discovery Timeline
- 2026-01-28 - CVE-2020-36973 published to NVD
- 2026-01-29 - Last updated in NVD database
Technical Details for CVE-2020-36973
Vulnerability Analysis
This remote code execution vulnerability stems from insufficient validation of file upload and rename operations within PDW File Browser. The application fails to properly restrict the types of files that can be uploaded and renamed, allowing attackers to bypass security controls designed to prevent the execution of malicious code.
The attack requires authentication, meaning the attacker must have valid credentials to access the file browser functionality. Once authenticated, the attacker can upload a file with a benign extension (such as .txt) containing webshell code. The vulnerability allows the attacker to then rename this file to an executable extension (such as .php) and move it to a web-accessible directory.
The exploitation technique leverages double-encoded path traversal sequences to bypass directory restrictions, enabling the attacker to place the malicious file in locations outside the intended upload directory.
Root Cause
The root cause of CVE-2020-36973 is the lack of proper input validation and access controls in the file upload and rename functionality. The application does not adequately:
- Validate file extensions during upload and rename operations
- Sanitize path traversal sequences in file rename requests
- Restrict file operations to designated directories
- Block double-encoded characters used to bypass path validation
This combination of weaknesses allows authenticated users to bypass intended security restrictions and place executable files in arbitrary locations on the web server.
Attack Vector
The attack is network-based and requires the attacker to have authenticated access to the PDW File Browser application. The exploitation process follows these steps:
- The attacker authenticates to PDW File Browser with valid credentials
- A text file containing PHP webshell code is uploaded with a .txt extension to bypass any file type restrictions
- The attacker uses the rename functionality with double-encoded path traversal sequences (e.g., %252e%252e%252f) to move and rename the file
- The file is renamed to have a .php extension and placed in a web-accessible directory
- The attacker accesses the webshell directly via HTTP to execute arbitrary commands on the server
Technical details and proof-of-concept information can be found in the Exploit-DB #48987 entry and the VulnCheck Advisory for PDW.
Detection Methods for CVE-2020-36973
Indicators of Compromise
- Presence of newly created .php files in web-accessible directories outside normal upload paths
- Web server logs showing requests with double-encoded path traversal patterns (e.g., %252e%252e%252f)
- Unusual file rename operations converting .txt files to .php extensions
- Evidence of webshell access patterns in access logs (repeated POST requests to unexpected PHP files)
Detection Strategies
- Monitor file system events for suspicious file creation and rename operations in web directories
- Implement web application firewall (WAF) rules to detect double-encoded path traversal attempts
- Deploy file integrity monitoring (FIM) to alert on unexpected PHP file creation
- Analyze web server logs for patterns consistent with webshell deployment and access
Monitoring Recommendations
- Enable verbose logging for file upload and rename operations in PDW File Browser
- Configure alerts for file extension changes from non-executable to executable types
- Monitor for outbound connections from the web server process that may indicate webshell activity
- Implement anomaly detection for authenticated user file operations
How to Mitigate CVE-2020-36973
Immediate Actions Required
- Disable or restrict access to PDW File Browser until a patch is applied
- Review and audit all files in web-accessible directories for unauthorized PHP files
- Implement strict access controls limiting which users can access the file browser functionality
- Configure web server to prevent execution of PHP files in upload directories
Patch Information
Users should review the GitHub PDW File Browser repository for updates and security patches. Given the severity of this vulnerability, organizations should evaluate whether to continue using this software or migrate to alternative solutions with stronger security controls.
For additional technical details and advisory information, refer to the VulnCheck Advisory for PDW.
Workarounds
- Restrict PDW File Browser access to trusted users only via network segmentation or authentication controls
- Configure .htaccess or web server rules to deny PHP execution in upload directories
- Implement server-side file extension whitelisting that cannot be bypassed through rename operations
- Deploy a web application firewall (WAF) to block double-encoded path traversal attempts
# Example Apache configuration to prevent PHP execution in upload directory
<Directory "/var/www/html/uploads">
php_admin_flag engine off
<FilesMatch "\.php$">
Require all denied
</FilesMatch>
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
