PT-2019-14749 · Rconfig · Rconfig
Askar
·
Publicado
2019-10-26
·
Atualizado
2019-11-19
·
CVE-2019-16663
CVSS v2.0
9.0
Alta
| Vetor | AV:N/AC:L/Au:S/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
rConfig version 3.9.2
Description
An issue allows an attacker to directly execute system commands by sending a GET request to "search.crud.php" because the
catCommand parameter is passed to the exec function without filtering, which can lead to command execution.Recommendations
For rConfig version 3.9.2, as a temporary workaround, consider restricting access to the "search.crud.php" endpoint or filtering the
catCommand parameter to prevent command execution until a patch is available.Exploit
Correção
OS Command Injection
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Rconfig