PT-2014-8777 · X7 · X7 Chat
Publicado
2014-11-20
·
Atualizado
2017-09-08
·
CVE-2014-8998
CVSS v2.0
6.5
Média
| Vetor | AV:N/AC:L/Au:S/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
X7 Chat versions 2.0.0 through 2.0.5.1
Description
The issue allows remote authenticated users to execute arbitrary PHP code via a crafted HTTP header to "index.php", which is processed by the
preg replace function with the eval switch. This can lead to code execution.Recommendations
For X7 Chat versions 2.0.0 through 2.0.5.1, consider disabling the
preg replace function with the eval switch in the lib/message.php file until a patch is available. Restrict access to the index.php file to minimize the risk of exploitation. Avoid using the eval switch in the preg replace function to prevent arbitrary code execution.Exploit
Correção
Code Injection
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
X7 Chat